System and method for a cloud computing abstraction layer with security zone facilities

ABSTRACT

In embodiments of the present invention improved capabilities are described for a virtualization environment adapted for development and deployment of at least one software workload, the virtualization environment having a metamodel framework that allows the association of a policy to the software workload upon development of the workload that is applied upon deployment of the software workload. This allows a developer to define a security zone and to apply at least one type of security policy with respect to the security zone including the type of security zone policy in the metamodel framework such that the type of security zone policy can be associated with the software workload upon development of the software workload, and if the type of security zone policy is associated with the software workload, automatically applying the security policy to the software workload when the software workload is deployed within the security zone.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.15/621,443 filed on Jun. 13, 2017, entitled “SYSTEM AND METHOD FOR ACLOUD COMPUTING ABSTRACTION LAYER WITH SECURITY ZONE FACILITIES”, whichis a continuation of U.S. patent application Ser. No. 14/720,681 filedMay 22, 2015, entitled “SYSTEM AND METHOD FOR A CLOUD COMPUTINGABSTRACTION LAYER WITH SECURITY ZONE FACILITIES”, which is acontinuation of U.S. patent application Ser. No. 13/354,275 filed Jan.19, 2012 and issued on Jun. 30, 2015 as U.S. Pat. No. 9,069,599,entitled “SYSTEM AND METHOD FOR A CLOUD COMPUTING ABSTRACTION LAYER WITHSECURITY ZONE FACILITIES”, which claims the benefit of U.S. ProvisionalPatent Application No. 61/434,396 filed Jan. 19, 2011, entitled “SYSTEMAND METHOD FOR CLOUD COMPUTING” each of which are hereby incorporatedherein by reference in its entirety.

U.S. patent application Ser. No. 13/354,275 filed Jan. 19, 2012,entitled “SYSTEM AND METHOD FOR A CLOUD COMPUTING ABSTRACTION LAYER WITHSECURITY ZONE FACILITIES”, is a continuation-in-part of U.S. patentapplication Ser. No. 13/009,774 filed Jan. 19, 2011 and issued on Jan.6, 2015 as U.S. Pat. No. 8,931,038, entitled “SYSTEM AND METHOD FOR ACLOUD COMPUTING ABSTRACTION LAYER” which claims priority to U.S.Provisional Patent App. No. 61/296,405 filed on Jan. 19, 2010, entitled“ENTERPRISE CLOUD SYSTEM AND METHOD”, each of which is herebyincorporated herein by reference in its entirety. Related U.S. patentapplication Ser. No. 12/488,424 entitled “CLOUD COMPUTING GATEWAY, CLOUDCOMPUTING HYPERVISOR, AND METHODS FOR IMPLEMENTING SAME” filed Jun. 19,2009, and issued on Aug. 20, 2013 as U.S. Pat. No. 8,514,868, claimspriority to U.S. Provisional Patent Application No. 61/074,027 filedJun. 19, 2008 entitled “CLOUD COMPUTING GATEWAY AND CLOUD COMPUTINGHYPERVISOR”, each of which is hereby incorporated herein by reference inits entirety.

BACKGROUND Field of the Invention

The present invention relates to the field of cloud computing, and moreparticularly, the invention relates to systems and methods for securing,controlling and managing cloud services, applications, platforms andinfrastructure.

Description of the Related Art

Companies have begun offering businesses a new cloud computingoutsourcing option that promises reduced costs, improved availability,improved scalability, and reduced time to deploy new applications. Thesecompanies act as managed service providers that rent virtual computer,storage, and Internet connectivity services for variable periods on apay-per-use basis from large pools of re-purposable. multi-tenantcomputing resources. Such cloud infrastructure providers include AmazonWeb Services®, Amazon EC2®, GoGrid®, Joyent®, and Mosso®.

Many businesses, however, are currently unable to use cloudinfrastructure because of a lack of security, control, and manageabilityof the computing capacity rented from the cloud infrastructureproviders. These problems prevent such businesses from maximizing theiruse of cloud infrastructure, which includes virtual server instances,storage, and Internet bandwidth. Enterprises also have difficultyidentifying what cloud resources they should use, and how they shoulduse them, such that usage is consistent with the technical, operational,and business needs of the enterprise.

SUMMARY

According to various embodiments of the invention, systems and methodsare provided for one or more cloud computing abstraction layers. Throughvarious embodiments of the present invention, a user can plancloud-computing services, build a cloud-computing service, publish thecloud-computing service for consumption by users, or run thecloud-computing service. Some embodiments of the present inventionprovide access to disparate public or private cloud-computing resourcesthrough a common interface. Additionally, some embodiments can applygovernance uniformly over disparate public or private cloud-computingresources.

Some systems may, for example, enable: self-service access tocloud-computing resources by end-users, developers, and admins;automated services with respect to cloud-computing services comprisingof one or more cloud-computing resources (e.g., management, building,configuration, publication, validation, and development and deploymentof cloud-computing services); rapid provisioning (e.g., deployment,release, scheduling, control etc.) of cloud-computing resources within acloud-computing service; governance control of cloud-computing resourceswithin a cloud-computing service (e.g., application of security andnon-security policies to cloud-computing resources), audit control ofcloud-computing services; or secure access to cloud-computing services.Accordingly, embodiments of the present invention provide on-demandaccess by internal users, external users (e.g. customers, servicepartners), and developers to cloud-computing services, such asinfrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), andsoftware-as-a-service (SaaS), provided from a governed federation ofinternal (private cloud) and external cloud (commercial cloud) serviceproviders. Some such embodiments allow for rapid and dynamic deploymentand scaling of cloud-computing services. A private cloud may comprise,for example, Eucalyptus Systems, VMWare vSphere®, or Microsoft® HyperV;and a public cloud may comprise, for example, Amazon EC2®, Amazon WebServices®, Terremark®, Savvis®, or GoGrid®.

According to one system of the invention, the system provides acloud-computing service from a cloud-computing environment comprising aplurality of cloud-computing resources, the system comprising: amanagement module configured to manage a cloud-computing resource of theplurality of cloud-computing resources as a cloud-computing service,wherein the cloud-computing service performs a computer workload and thecloud-computing service comprises the cloud-computing resource; anadapter configured to connect to the cloud-computing resource to thesystem and translate a management instruction received from themanagement module (e.g., intermediate representation of a command from aclient) into a cloud application program interface call for thecloud-computing resource (e.g. proprietary API call for Amazon EC2®); acloud service bus configured to route the management instruction fromthe management module to the adapter; a consumption module configured toallow a user to subscribe the cloud-computing service; a planning moduleconfigured to plan the cloud-computing service; and a build moduleconfigured to build the cloud-computing service from the cloud-computingresource and publish the cloud-computing service to the consumptionmodule. In some such embodiments, the system provides a user interfaceconfigured to provide access to the system as a virtual private cloud.The system may further comprise a cloud model utilized by the adapter totranslate the management instruction to the (target) cloud API call.

In certain embodiments, the virtual private cloud is utilized foroperation of a cloud-computing service in accordance with the presentinvention. In particular embodiments, a computer workload (e.g.,application, server software, software development environment, softwaretest environment) is a unit of computing processing that is performedvia an IaaS, PaaS, or SaaS. For example, IaaS may comprise instances ofMicrosoft® Windows or Linux running on a virtual computer, or aDesktop-as-a-service (DaaS) provided by Citrix® or VMWare®; a PaaS maycomprise a database server (e.g., MySQL® server), Samba server, Apache®server, Microsoft® IIS.NET server, Java® runtime, or Microsoft® .NET®runtime, Linux-Apache-MySQL-PHP (LAMP) server, Microsoft® Azure, orGoogle® AppsEngine; a SaaS may comprise SalesForce®, Google® Apps, orother software application that can be deployed as a cloud service, suchas in a web services model. A cloud-computing resource may be a physicalor virtual computing resource (e.g., virtual machine). In someembodiments, the cloud-computing resource is a storage resource (e.g.,Storage Area Network (SAN), Network File System (NFS), or Amazon S3®), anetwork resource (e.g., firewall, load-balancer, or proxy server), aninternal private resource, an external private resource, a secure publicresource, an infrastructure-as-a-service (IaaS) resource, aplatform-as-a-service (PaaS) resource, or a software-as-a-service (SaaS)resource. Hence, in some embodiments, a cloud-computing service providedmay comprise a IaaS, PaaS, or SaaS provided by private or commercial(e.g., public) cloud service provider, such as Amazon Web Services®,Amazon EC2®, GoGrid®, Joyent®, Mosso®, or the like.

In various embodiments, the management module that manages thecloud-computing service comprises provisioning the cloud-computingservice for a virtual private cloud, releasing the cloud-computingservice for the virtual private cloud, accounting for usage of thecloud-computing service in the virtual private cloud, or monitoring thecloud-computing service. For example, in some embodiments, themanagement module manages cloud-computing resources for acloud-computing service being offered by the system by provisioning acloud-computing resource for the cloud-computing service, deploying acloud-computing resource for the cloud-computing service, or releasing acloud-computing resource being used by the cloud-computing service. Insome embodiments, the provisioning involves starting, stopping, orgenerally controlling an instance of a cloud-computing resource (e.g.,IaaS providing an instance of Linux) on behalf of a cloud-computingservice. For example, an embodiment may launch scripts to start aninstance of a cloud-computing resource, launch scripts to securely(e.g., via encryption) attach a file system (e.g., a storage volume) tothe instantiation of the cloud-computing resource (e.g., so that thecloud-computing resource can access local or remote client datasecurely), and then connect a client to the instantiation through avirtual private network (VPN) connection between the client's localnetwork and the cloud providers network.

In further embodiments, the management module is further configured toperform collection and maintenance of cost and consumption of variouscloud-computing resources such as CPU-time, storage volume consumption,network I/O and other configurable cloud-computing cost and consumptionfactors. For example, in some embodiments where the management moduleaccounts for usage of one more cloud-computing services by a clientcollecting, aggregating and providing this information through a API tocustomer billing systems while also presenting reporting through theconsumption module demonstrating cost and consumption comparisons,projections and usage. Some embodiments may utilize Ariba®, SAP®, or thelike to facilitate accounting and billing of usage of cloud-computingservice.

In some embodiments, the build module allows a developer to create acloud-computing service (e.g., IaaS, PaaS, and SaaS) comprising one ormore cloud-computing resources. The build module may utilize buildscripts to build a cloud-computing service from one or morecloud-computing resources, configure a cloud-computing service, orpublish a cloud-computing service for consumption.

In various embodiments, a cloud-computing service may be published to aconsumption module that allows an end-user to subscribe to thecloud-computing service and utilize the service. In some embodiment, theend-user may access and subscribe to the cloud-computing service througha user interface that lists published and available cloud-computingservices. For example, the user interface may be a storefront throughwhich an end-user may preview and select a cloud-computing service foruse.

With some embodiments, an organization can determine the most suitabledeployment of a computer workload to a cloud-computing environment, ordetermine the value/benefit of deploying a computer workload to acloud-computing environment. For some embodiments, the planning moduleanalyzes a computer workload or workflow that may have previously beenon a physical or virtual computing resource and assists in migrating orimporting the computer workload or workflow to the clouding-computingenvironment. In further embodiments, the planning module assessesdifficulty in migrating or importing the computer workload or workflow,and the efficiency or value of using the cloud-computing environment. Inother embodiments, the planning module determines the correct placementof a computer workload or workflow to an appropriate cloud-computingservice based on the profile or characteristics of the computer workload(e.g., determine that the computer workload or workflow needs to beperformed within secure cloud/public cloud/private cloud). For example,for a trading platform, which needs a low latency-computing environmentthat is secure, an embodiment may recommend placement of tradingplatform in a cloud-computing service comprising a be used for long-termstorage of non-sensitive data, an embodiment may recommend configurationof the platform to use cloud-computing services comprising a publiccloud resource, or a combination of cloud and physical resources, suchas archival tape storage resources. Further, the placement decision isguided by policy that ensures the cloud-computing resource is placed inthe appropriate cloud-computing service.

In particular embodiments, the system further comprises a policy enginemodule configured to enforce a policy on the cloud-computing servicethrough the management module. For example, in some embodiments, themanagement module monitors a cloud-computing resource of thecloud-computing service through the adapter and provisions thecloud-computing resource according to the policy engine module.Additionally, for some embodiments, the management module monitors acloud-computing resource's performance using Ganglia Monitoring Systemor collectd (an open source daemon that collects system performancestatistics periodically).

In some embodiments, the system further comprises an identity managementmodule configured to connect to an authentication system andauthenticate the user for the cloud-computing service. For example, insome embodiments, the identity management connects to disparateauthentication systems (e.g., Netegrity®, Oracle OAM®, Microsoft® ActiveDirectory, RSA® Cleartrust, or Lightweight Directory Access Protocol(LDAP), Kerberos) to create a federated authentication system thatallows unified authentication to a cloud-computing service.

In various embodiments, the system further comprises an encryptionmodule configured to perform encryption services for the cloud-computingservice. For example, the encryption services can include encryption ofdata on a storage device or data communicated over a network connection.In other embodiments, the system further comprises a connection moduleconfigure to securely connect the cloud-computing service to a clientnetwork or a cloud provider network. For example, a connection modulemay be deployed on a client network or a cloud provider network tofacilitate a secure network connection between cloud-computing serviceand a client network.

According to some embodiments, a method is provided for acloud-computing environment comprising a plurality of cloud-computingresources, the method comprising: providing a virtual private cloudconfigured to utilize a cloud-computing resource from the plurality ofcloud-computing resources to perform a computer workload; receiving arequest to perform the computer workload within the virtual privatecloud, provisioning the cloud-computing resource from the plurality ofcloud-computing resources; deploying the cloud-computing resource withinthe virtual private cloud; and using the cloud-computing resource toperform the computer workload.

As noted before, the cloud-computing resource may be a virtual (e.g.,virtual machine) or physical cloud-computing resource (e.g., dedicatedserver). For example, the cloud-computing resource may be a virtualcomputing resource where the virtual computing resource is deployedunder control of a virtual machine manager. The cloud-computing resourcemay be a storage resource, a network resource, an internal privateresource, an external private resource, a secure public resource, aplatform-as-a-service (PaaS), a software-as-a-service (SaaS), or aninfrastructure-as-a-service (IaaS). The cloud-computing resource may bea hybrid cloud-computing resource comprising at least two of a physicalresource, a virtualized resource, a private resource, a public resource,an internal resource, or an external resource.

In some embodiments, the method further comprises receiving a constraintfor the cloud-computing resource or for a computer workload that may bedeployed on the cloud-computing resource, wherein the cloud-computingresource is a cloud-computing resource; and applying the constraint onthe cloud-computing resource such that, when the cloud-computingresource is used to perform the computer workload, the cloud-computingresource's operation is limited according to the constraint. In otherembodiments, the method further comprises declaring a static networkaddress for the computer workload.

In some embodiments, the method further comprises: defining a securityzone such that the security zone comprises the virtual private cloud;and applying a security policy to the security zone such that, when thecloud-computing resource deployed in the virtual private cloud that isused to perform the computer workload, the cloud-computing resource'soperation or the performance or operation of the computer workload issubject to, the security policy. The security zone may be definedaccording to a physical location of the virtual private cloud's usage, anetwork location of the virtual private cloud's usage, or an attributeof an organization associated with the virtual private cloud. Thesecurity policy may be an access policy, a read-permission policy, awrite-permission policy, an edit-permission policy, a privacy-basedpolicy, a policy regarding a required level or type of encryption, acloud-computing resource utilization policy, or other policy. Thesecurity policy can be configured to only allow software packages thatcomply with the security zone's policies to be deployed with thesecurity zone. For example, a security zone may be defined as aspecified virtual private network (VPN) or a specified physical networkof a business enterprise, such that computer workloads being performedby a cloud-computing resource operating in that zone may be modifiedonly by users who have specified authorization credentials issued bythat enterprise. Among some embodiments, a security zone may be definedas cloud-computing resources (public or private) that are physicallylocated in a geographical area, such as the United States, allowing asecurity policy to be applied that prohibits export of data that is tobe associated with computer workloads executed in that security zone. Inother embodiments, the policies are defined and implemented on thefirewalls through a central policy server.

In additional embodiments, the method further comprises: receiving at acentral policy server a definition for a security policy, wherein thecentral policy server is configured to associate the security policy tothe computer workload or to the cloud-computing computing resourceperforming the computer workload; and pushing the security policy to thecloud-computing resource.

For some embodiments, provisioning the cloud-computing resourcecomprises: locating an unreserved cloud-computing resource within theplurality of cloud-computing resources; and reserving for the virtualprivate cloud the unreserved cloud-computing resource.

In embodiments where the cloud-computing resource is an infrastructureelement, and the method further comprises: providing a user interfacethat allows a user to deploy or configure the infrastructure element;setting, through the user interface, a policy to the infrastructureelement or to a computer workload that may be deployed on theinfrastructure element; and applying the policy to the infrastructureelement when the infrastructure element or computer workload is deployedwithin the virtual private cloud. The method further comprises:determining a reference design for the infrastructure element; anddeploying the infrastructure element in the virtual private cloudaccording to the reference design.

In other embodiments, the method further comprises: associating a policywith the computer workload to be performed within the virtual privatecloud; and applying the policy to the cloud-computing resourceperforming the computer workload during the computer workload'sperformance.

In additional embodiments, receiving the request to perform the computerworkload or the application of the policy to the computer workloadcomprises: receiving an application to be migrated to cloud-computingenvironment for execution; and identifying the computer workload asnecessary for executing the application.

In further embodiments, the method further comprises: using an adapterto connect the virtual private cloud to one or more othercloud-computing resources, such as of the types described herein; usinga metamodel data structure to store an association between a computerworkload and a policy; and pushing the metamodel data structure to theadapter such that, when the cloud-computing resource is deployed toperform the computer workload, the adapter applies the policy to thecomputer workload or to the cloud-computing resource performing thecomputer workload. In some such embodiments, when a computer workload ismoved from using one cloud-computing resource to a secondcloud-computing resource, the method may further comprise pushing themetamodel data structure to a second adapter that connects the secondcloud-computing resource to the virtual private cloud such that when thesecond cloud-computing resource is deployed, such as within the virtualprivate cloud to perform the computer workload, the second adapterapplies the policy to the second cloud-computing resource performing thecloud computer workload.

In other embodiments, the method comprises identifying thecloud-computing resource for performing the computer workload.Identifying the cloud-computing resource may be based on a computerworkload score determined by a scoring logic. The scoring logic may be,for example, based on a business attribute of the computer workload, atechnical attribute of the computer workload, or an operationalattribute of the computer workload. In further embodiments, the scoringlogic uses a mix of at least two of a business attribute, an operationalattribute and a technical attribute. In various embodiments, the scoringlogic may be editable or may be dynamically updated at or nearreal-time.

In some embodiments, the computer workload may be scalable. For example,the computer workload may be scaled down to decrease the computerworkload's use of memory and processing time during performance within avirtual private cloud or actually increase or decrease the number ofcloud-computing resources which execute the computer workload. Infurther embodiments, the scaling is based on a policy, which may beassociated with the computer workload, stored in a metamodel, and pushedvia an adaptor to or among various cloud computing resources.

In some embodiments, deploying the cloud-computing resource comprisesdeploying a pre-determined set of cloud-computing resources to optimizethe computer workloads' performance.

In further embodiments, the method further comprises setting a conditionfor the computer workload, wherein the condition determines if or whenthe cloud-computing resource can be deployed within the virtual privatecloud to perform the computer workload.

According to other embodiments, a method is provided for acloud-computing environment comprising a plurality of cloud-computingresources, the method comprising: receiving a computing workflow to beperformed in the cloud-computing environment; identifying a computerworkload to perform the computing workflow; associating a policy withthe computer workload; testing the computer workload in a pre-productionvirtual private cloud (e.g., computing environment) within thecloud-computing environment; deploying the computer workload in aproduction virtual private cloud (e.g., computing environment) withinthe clouding-computing environment; and applying the policy to thecomputer workload during the computer workload's performance within theproduction virtual private cloud for consumption. In some suchembodiments, identifying the computer workload to perform the computingworkflow involves identifying a plurality of computer workloads toperform the computing workflow.

According to other embodiments, the present invention may provide amethod and system for a virtualization environment adapted fordevelopment and deployment of at least one software workload, thevirtualization environment having a metamodel framework that allows theassociation of a policy to the software workload upon development of theworkload that is applied upon deployment of the software workload. Thesystem and method may allow a developer to define a security zone and toapply at least one type of security policy with respect to the securityzone including the type of security zone policy in the metamodelframework such that the type of security zone policy can be associatedwith the software workload upon development of the software workload,and if the type of security zone policy is associated with the softwareworkload, automatically applying the security policy to the softwareworkload when the software workload is deployed within the securityzone. In embodiments, the security zone may be a geographic zone, anetwork zone, an enterprise zone, an operational zone, an organizationalzone, and the like. The security policy may be an access policy, awrite-permission policy, a resource utilization policy, an editingpermission policy, and the like. The security policy may determinewhether a software workload is allowed to operate in a specifiedsecurity zone. The method and system may automatically establishfirewall rules across multiple firewalls in multiple security zones fornewly deployed applications by tagging application software workloadsthat are deployed within the security zones. The firewalls may be oftypes provided by different vendors and employ at least one of differentoperating system, communication protocols, and programming languages.The method and system may automatically remove firewall rules acrossmultiple firewalls in multiple security zones when the firewall rules donot apply to software workloads within the security zones. The firewallsmay be of types provided by different vendors and employ at least one ofdifferent operating system, communication protocols, and programminglanguages. The method and system may provide an alert when a softwareworkload is planned to be deployed in a security zone in a manner thatis inconsistent with at least one of a security zone policy applicableto the security zone and a security policy associated with the workload.

According to further embodiments, various operations described above areimplemented using a computer. For example, some embodiments provide fora computer program product comprising a computer useable medium havingprogram instructions embodied therein for performing operations similarto those performed by methods according to the present invention.

Other features and aspects of the invention will become apparent fromthe following detailed description, taken in conjunction with theaccompanying drawings, which illustrate, by way of example, the featuresin accordance with embodiments of the invention. The summary is notintended to limit the scope of the invention, which is defined solely bythe claims attached hereto.

These and other systems, methods, objects, features, and advantages ofthe present invention will be apparent to those skilled in the art fromthe following detailed description of the preferred embodiment and thedrawings. All documents mentioned herein are hereby incorporated intheir entirety by reference.

BRIEF DESCRIPTION OF THE FIGURES

The present invention, in accordance with one or more variousembodiments, is described in detail with reference to the followingfigures. The drawings are provided for purposes of illustration only andmerely depict typical or example embodiments of the invention. Thesedrawings are provided to facilitate the reader's understanding of theinvention and shall not be considered limiting of the breadth, scope, orapplicability of the invention. It should be noted that for clarity andease of illustration these drawings are not necessarily made to scale.

FIG. 1 is a diagram illustrating an example system in accordance with anembodiment of the present invention.

FIG. 2A is a diagram illustrating an example management module inaccordance with an embodiment of the present invention.

FIG. 2B is a diagram illustrating an example management module inaccordance with an embodiment of the present invention.

FIG. 3 is a diagram illustrating an example of provisioning inaccordance with an embodiment of the present invention.

FIG. 4 is a diagram illustrating an example use of a connection modulein accordance with an embodiment of the present invention.

FIG. 5 is a diagram illustrating an example use of an identity module inaccordance with an embodiment of the present invention.

FIG. 6 is a diagram illustrating an example use of a monitor module inaccordance with an embodiment of the present invention.

FIG. 7 is a diagram illustrating an example governor module inaccordance with an embodiment of the present invention.

FIG. 8 is a flowchart illustrating an example method in accordance withan embodiment of the present invention.

FIGS. 9A-9D are screenshots of an example user interface in accordancewith some embodiments of the present invention.

FIG. 10 is a diagram illustrating an example system in accordance withan embodiment of the present invention.

FIG. 11 is a diagram illustrating an example of an enterprise cloudecosystem in an embodiment of the present invention.

FIG. 12 is a diagram illustrating an example of a policy-drivengovernance and control scenario in an embodiment of the presentinvention.

FIG. 13 is a diagram illustrating an embodiment for a self-serviceenterprise application store.

FIG. 14 is a diagram illustrating an example of a computing module forimplementing various embodiments of the invention.

The figures are not intended to be exhaustive or to limit the inventionto the precise form disclosed. It should be understood that theinvention can be practiced with modification and alteration, and thatthe invention be limited only by the claims and the equivalents thereof.

While the invention has been described in connection with certainpreferred embodiments, other embodiments would be understood by one ofordinary skill in the art and are encompassed herein.

All documents referenced herein are hereby incorporated by reference.

DETAILED DESCRIPTION

The present invention is directed toward a system and method for a cloudcomputing abstraction layer. Through various embodiments of the presentinvention, a user can plan cloud-computing services, build acloud-computing service, publish the cloud-computing service forconsumption by users, or run the cloud-computing service. Someembodiments of the present invention provide access to disparate publicor private cloud-computing resources through a standard interface.Additionally, some embodiments can apply governance uniformly overdisparate public or private cloud computing resources.

Some systems may, for example, enable: self-service access tocloud-computing resources by end-users, developers, and admins;automated services with respect to cloud-computing services comprisingof one or more cloud-computing resources (e.g., management, building,configuration, publication, validation, and building of cloud-computingservices); rapid provisioning (e.g., deployment, release, scheduling,control etc.) of cloud-computing resources within a cloud-computingservice; governance control of cloud-computing resources within acloud-computing service (e.g., application of security and non-securitypolicies to cloud-computing resources), audit control of cloud-computingservices; or secure access to cloud-computing services.

Advantages to the present invention's model include enabling a federatedconstituency of internal and external service providers that can beselected (and switched as needed) to provide best fit and value, such asbetween different internal and external cloud providers. For example,development projects, which may be subjected to waiting times orinterruptions, but which contain highly confidential information, may bedeployed on a cloud that has low cost, but that has very specificsecurity requirements, while commercial services, some of which arenon-confidential in nature, might preferably be deployed on very fast,highly scalable cloud infrastructure to ensure high quality of service,but security requirements might be different than for a developmentproject. A range of factors may be relevant to deployment of aparticular project or service (or to a particular workload elementrelated to it), including technical factors (the processing, storage,bandwidth, and other capabilities required to execute a workload),operational factors (such as when and where a workload needs to beavailable to meet the operational requirements of a business), andbusiness factors (such as anticipated revenues, costs, quality ofservice requirements, and the like). By enabling federation of services,applications, platform elements, infrastructure elements and the likeacross multiple types of clouds (including internal and external cloudsfrom varying vendors), while providing a single, unified interface fordeveloping workloads and associating policies relating technical,operational, business and other requirements, the embodiments describedherein allow an enterprise to satisfy such requirements much moreeffectively and efficiently than was possible with prior offerings.

On top of infrastructure elements provided for a cloud there may beplatforms, stacks, software applications, and the like. There may bemany different use cases and variations possible in an ‘everythingas-a-service’ world, such as development and test environmentsas-a-service, databases as-a-service, platforms as a service,infrastructure as a service, software as a service, and many flavors ofeach offering different types of services, and the like. Benefits to thefederated structure may include greater agility, vendor contestability,and innovation by transitioning an enterprise from a fixed to a variablecost infrastructure (thus avoiding enormous waste currently associatedwith fixed cost resources acquired by enterprises to meet peak needs butunused in off-peak periods), increased transparency (including thecapability to compare the cost, functional benefits, and value of eachsub-element of a service, platform, application, or infrastructurecomponent), more direct revenue-to-cost operating models, right-placeright size workload placement, minimal vendor lock-in and dependencies,improved standardization, lower risk operating environments, meteredcost savings through ‘pay-as-you-go’ economics and demand-drivenconsumption, faster time-to-market through on-demand provisioning, acompressed systems development life cycle (SDLC), lower costs byarbitrating market price between providers, elastic-dynamic capacity tomeet peak demand, and the like.

The present disclosure also may provide security, governance, and policyenforcement to harness the power and agility of the operating model, astrategy and transition plan to move from a traditional operating modelto an everything-as-a-service model, and the like.

FIG. 1 is a diagram illustrating an example system 10 in accordance withan embodiment of the present invention. FIG. 1 illustrates acloud-computing environment 35 comprising one or more cloud-computingresources, a client network 31 comprising client computing devices 14(e.g., desktops, laptops, smart mobile devices), and a cloud-computingplatform 20 in accordance with one embodiment of the invention. Inillustrated system 10, cloud-computing platform 20 provides a systemthrough which computing devices residing on client network 31 (e.g.,enterprise network) can access one or more cloud-computing services. Acloud-computing service comprises a cloud-computing resource residingwithin the cloud-computing environment 35 and managed by thecloud-computing platform to provide the cloud-computing service.Depending on the embodiment, cloud-computing environment 35 may compriseone or more cloud providing networks that include cloud-computingresources (e.g., cloud services provided by public or private clouds,which may be external or internal to the enterprise that uses them) thatcan be utilized by users. Additionally, depending on the embodiment,platform 20 may reside on a client network 31 or separate from a clientnetwork 31.

Cloud-computing environment 35 may comprise an internal cloud, anexternal cloud, a private cloud, or a public cloud (e.g., commercialcloud). In the embodiment of FIG. 1, cloud-computing environment 35comprises internal private cloud resource 38, external private cloudresource 41, and secure public cloud resource 44. A private cloud may beimplemented using a variety of cloud systems including, for example,Eucalyptus Systems, VMWare vSphere®, or Microsoft® HyperV. Providers ofpublic clouds may include, for example, Amazon EC2®, Amazon WebServices®, Terremark®, Savvis®, or GoGrid® Cloud-computing resourcesprovided by these clouds may include, for example, storage resources(e.g., Storage Area Network (SAN), Network File System (NFS), and AmazonS3®), network resources (e.g., firewall, load-balancer, and proxyserver), internal private resources, external private resources, securepublic resources, infrastructure-as-a-services (IaaSs),platform-as-a-services (PaaSs), or software-as-a-services (SaaSs).

By using cloud-computing platform 20 to plan, build, manage, or usecloud-computing resources within a cloud-computing environment, users ofplatform 20 are provided with standardized access to a variety ofcloud-computing resources from disparate cloud-computing systems andproviders without concerning themselves with the proprietary details ofaccessing or interfacing with such cloud-computing systems andproviders. The platform 20 is configured to take the workloads that aredeveloped with the platform 20 (as more particularly describedthroughout this disclosure) and automatically provide the interfaces andaccess steps necessary to operate the workload on any particularplatform or infrastructure element within a federation of cloudcomputing resources, such that the user is able to interact with theplatform to develop such workloads at a level of abstraction that allowsthe user to configure the logic of the workload (including conditionallogic that allows interrelation of different workloads) and to embodythe technical, operational, and business requirements of the workload inpolicies that are associated with the workload, without the user beingrequired to access or understand the details of (or in some cases evenknow about the existence of) such particular platform or infrastructureelements. Additionally, users of platform 20 can access cloud-computingservices through platform 20 on-demand and on a self-service basisthrough the standardized access. Users of cloud computing servicesoffered by platform 20 may include end-users, developers, partners, oradministrators that reside on the client network 31.

Platform 20 may comprise planner module 23, manager module 26, buildermodule 29, and consumption module 32. Planner module 23 is configured toplan cloud-computing service provided by platform 20 by inventorying,profiling, characterizing and prioritizing computer workloads, such asprograms, applets, calculations, applications, servers, or services. Forexample, with respect to software/application development, plannermodule 23 may model current applications and associatedsoftware-development life cycle (SDLC) phases to determine whatinfrastructure environments would be required or preferred. This mayinclude defining security, privacy, management or other profiles foreach SDLC phase of each application. The profiles, in turn, willidentify existing infrastructure and systems that support the SDLCphases, and manage relationships between the infrastructure, systems andthe applications. Profiles may also contain characteristics regardingthe SDLC phases or attributes relevant to development, deployment orperformance of infrastructure, systems, or workloads, such as latency,geography, responsiveness, bandwidth, storage capacity, processingspeed, processing type, platforms involved (including operating system,file types, communication protocols, and the like), data involved,protocols used, and specific institutional requirements. In terms ofprioritizing the cloud-computing services needed for the SDLC phases,planner 23 may first identify which SDLC computing environments andsystems would be suitable for cloud computing or migration to cloudcomputing, and then prioritize the enablement and operability of newlydeveloped or migrated computer workloads according to the SDLC phases.Subsequently, the characterizations determined by planner module 23 canbe used by builder module 29 to build a cloud-computing service or todeploy a computer workload to a cloud-computing resource. In the plannermodule 23 or in other components of the platform 20 associated with theplanner module 23 the user may have access to, or may create or modify,policy information relevant to the computer workloads with which theuser can interact in the planner module 23. The policy information maybe stored in or associated with a meta model, which may enable theidentification, characterization, and storage of a wide range ofinformation, including policy information, that can be associated with agiven workload. The metamodel data, including policy information, can beassociated with the workload such that throughout the various componentsof the platform 20, from planning through deployment to a cloud, theworkflow can be handled in a manner that is consistent with themetamodel data, and in particular consistent with the policies that areapplicable to that workload. In the planner module 23 the planner/usermay thus plan the use of workloads in a manner that is consistent withtechnical, operational, and business requirements that are appropriatewith such workload, as seen by association of the same with theworkload, and the planner/user may modify or populate the policiesassociated with the workload, such that the metamodel data for thatworkload embodies and is consistent with the plans of the planner/user.Once associated with the workload, such policies and other metamodeldata are stored by the platform 20 and may be used throughout thedevelopment and deployment cycle.

Builder module 29 may be configured to assemble, validate, and publish acloud-computing service or computer workload for consumption (i.e., use)by a user. Builder module 29 may be configured to receivecharacterization information from planner module 23 and build acloud-computing service or computer workload based on the information.For example, builder module 29 may be configured to assemble a cloudcomputing service based on the prioritized list of computer workloadsprovided by planner module 23. Builder module 29 may be configured tocreate and edit scripts for loading computer workloads duringinstallation, startup, runtime, and shutdown of cloud-computing servicesassembled by builder 29. The scripts for the cloud-computing servicesmay be verified and validated before the cloud-computing services arepublished for consumption (i.e., use). The script may have access tometamodel and policy information which may alter how the script uses themetamodel and policy information to make a decision. Additionally,builder module 29 may be configured to associate the computer workloadwith the appropriate cloud-computing service or resource (e.g.,associate an application with an appropriate underlying virtual machineimage or associate a computer workload with a specific network). As withthe planner module 23, in the builder module 29 the user/builder mayhave access to, or may create or modify, policy information relevant tothe computer workloads with which the user can interact in the buildermodule 29, such as the policy information stored in or associated withthe above-referenced meta model, which may enable the identification,characterization, and storage of a wide range of information, includingpolicy information, that can be associated with a given workload. In thebuilder module 29 the builder/user may thus build of workloads in amanner that is consistent with technical, operational, and businessrequirements that are appropriate with such workload, as seen byassociation of the same with the workload, and the builder/user maymodify or populate the policies associated with the workload, such thatthe metamodel data for that workload embodies and is consistent with theplans of the planner/user. In embodiments, the builder module 29 maypresent options to the builder pre-filtered, such as in pre-populatedscripts, filtered drop-down menus, that are dictated by or consistentwith the policies and other metamodel data associated with a workload,omitting, blocking or hiding options that are inconsistent with suchpolicies. For example, a workload that stores customer data could omitthe option to store a social security number if a data privacyregulation prohibits storing such data in the business process to whichthe workload relates. Such automatic pre-filtering, pre-configuration,and blocking ensure consistency with the policies associated with theworkload at the planning stage (or other stages) while also improvingefficiency by removing development paths that might be pursued despitebeing prohibited. In embodiments, the metamodel provides a flexiblestructure to organize metadata and apply the same policies using acombination of system and user supplied metadata that may indicate useof the same policy, however may define the same policy in differentways. For example, in some embodiments, the system may consider a Tier 5datacenter to be the most fault tolerant type of data center and a usermay consider a Tier 1 data center to be the most tolerant. The metamodelallows a policy that requires provisioning in the most fault tolerantdata center to be assigned Tier 5 or Tier 1 metadata, depending on thedefinition of the most fault tolerant data center in that specificoperating environment.

Eventually, builder module 29 can publish a cloud-computing service forconsumption by users. In some embodiments, the build module 29 willpublish the cloud-computing service to a consumption module 32 (e.g.,store or storefront such as an application store, a service store, or asoftware stack store) where users can preview, select, and subscribe toa cloud-computing service for use. Further, in some embodiments, thebuilder module 29 will enter the cloud-computing service in repository30 when it is ready and available for consumption by users. Embodimentsmay also be configured the builder module 30 such that the developmentcommunity can approve or disapprove of the cloud-computing servicebefore publication.

Consumption module 32 is configured to allow a user to subscribe to,collaborate on, and assess a cloud-computing service published forconsumption. For example, a user can preview cloud-computing servicesavailable for deployment to the virtual private cloud and consumption.Then, when a user wants to subscribe and invoke a cloud-computingservice for usage, the user can invoke the cloud-computing service on aself-service, on-demand basis through the consumption module 32.Consumption module 32 may list published available cloud-computingservice at or near real-time, and allow a user to request updates andinformation on a listed cloud-computing service. In some embodiments,the consumption module 32 may allow users to collaborate on where, what,and how many cloud-computing services are deployed for consumption. Infurther embodiments, consumption module 32 may allow a user to commenton and rate cloud-computing services, or assess the cost associated withdeploying and using a cloud-computing service. As noted above, as withthe planning module 23 and the builder module 29, the consumption module32 has access to policy information and other metamodel data that isassociated with each workload, such that the workload may be consumedonly in a manner that is consistent with such policy information. Thusconsumption policies related to permitted time, permitted sets of users,security, pricing, resource consumption rules, and a wide variety ofother policies may be maintained by the consumption module based on thepolicies associated with the workload in the platform 20.

Manager module 26 is configured to provision one or more cloud-computingresources for a cloud-computing service or computer workload, manage oneor more cloud-computing resources for the cloud-computing service orcomputer workload, and monitor one or more cloud-computing resources forthe cloud-computing service or computer workload. For example, managermodule 26 may provision one or more cloud-computing resources (e.g.,provision one or more virtual machine instances) for a publishedcloud-computing service that is invoked from the consumption module 32.Upon invoking the cloud-computing service, the manager module 26 maydeploy and start the one or more cloud-computing resources to thevirtual private cloud for the cloud-computing service.

With respect to control, manager module 26 may control the start, stop,or run-time of one or more cloud-computing resources (e.g., controlstart, stop, or run-time of virtual machine instance) for acloud-computing service. Manager module 26 may further schedule thestart and stop time windows for the one or more cloud-computingresources, or govern a service level, such as per a service levelagreement (SLA), or a threshold associated with the one or morecloud-computing resources. Through its control, manager module 26 cangovern the cloud-computing resource according to conditions,constraints, security policies, or non-security policies. Manager module26 may also monitor the one or more cloud-computing resources, detectsecurity intrusions, and monitor the consumption of cloud-computingservices their associated cloud-computing resources in order todetermine the costs accrued by a user. Aspects of cloud-computingresources monitored by manager module 26 include, for example, centralprocessing unit (CPU) usage, memory usage, data storage usage, datainput/output usage, application usage, workload usage, service usage,and other attributes of usage of a service or a computer workload.

In some embodiments, manager module 26 is configured such that a usercan request a planner using the planner module 23 to change the designof a cloud-computing service. For example, a user may request that thecloud-computing service change or computer workload with respect to thecloud-computing resources utilized (e.g., change to a platform stack).As in the other components of the platform 20, in the manager module 26the user may have access to, or may create or modify, policy informationor metamodel data relevant to the computer workloads with which the usercan interact in the manager module 26. The manager/user of the managermodule 26 may thus manage the provisioning of infrastructure andplatform elements such that usage will be consistent with the policiesof the enterprise, including operational and business policies, as wellas technical requirements. For example, provisioning to expensiveinfrastructure elements may be confined to workloads that satisfybusiness rules that distinguish between mission critical elements andother elements. The manager/user of the manager module 26 may beprovided with access to the policies consistent with the metamodelframework, and in embodiments may be provided with pre-filtered options,such as in menu choices, decision trees, or the like, that areconsistent with such policies. For example, a workload designated asnon-critical in its metamodel data could automatically appear in themanager module with deployment options confined to relatively low costclouds, while a mission-critical workload might appear with alldifferent cloud options (or ones that are filtered to satisfy certainrequirements as to low latency, bandwidth, storage capacity, guaranteedquality of service, or the like). As with other modules, the managermodule 26 may thus enforce policy while streamlining workflow, improvingboth effectiveness and efficiency.

FIG. 2A is a diagram illustrating example management module 26 infurther detail. As illustrated, management module 26 comprises governormodule 103 configured to govern operation of a cloud-computing servicesand its associated cloud-computing resources, provisioning module 106configured to provision cloud-computing resources for a cloud-computingservice, and monitoring module 112 configured to facilitate the variousmonitoring functions of management module 26.

In embodiments, the present invention may provide for a policy-driveninfrastructure as a service (IaaS) event bus, which is comprised of apolicy engine, metamodel, reporting system, and workflow engine; andallows for the creation of business policies, such that said businesspolicies can be reflected into a dynamic information technologyenvironment and expressed across internal and external informationtechnology infrastructure, regardless of operating system, programminglanguage, middleware solution, application platform, or cloud provider,by making use of abstraction layers. The workflow engine provides anintegration point between the IaaS event bus and workflow management, asdescribed elsewhere in this specification. The abstraction layers allowfor integration with application programming interfaces made availableby different vendors, business models, technical models, eventing andaltering channels and monitoring systems in a vendor agnostic manner. Inembodiments the abstraction layer could be a cloud-computing provider. Acloud computing provider may be VMWare, Baremetal, Amazon Ec2, Savis,TerraMark, Microsoft HyperV, and the like. In other embodiments, theremay be multiple layers of abstraction in an abstraction layer.

The policy engine allows policies to be created through an easy to usevisual interface that allows users that do not necessarily haveinformation technology skills or other programming skills to author andassign policies to workloads. The policies can be expressed vialanguages such as XML, and the like. In some embodiments of the presentinvention a policy could be an event policy. An event policy supportsmatching one or more events that are temporally related and generate anotification action when matches occur. An event can be defined aseither a threshold condition or matching constraints specified as rules.A rule is comprised of one or more match constraints and each matchconstraint must be satisfied, by a logical “and” operation, within aspecified sliding time window in order for the notification actions tobe invoked. A match specifies the set of conditions that must besatisfied to match an event. Each condition specifies a property of anevent or object contained by the event, which is matched against a setof one or more values using the supplied comparison operation Ifmultiple values are supplied for a condition then the result is alogical “or” operation of the property being compared and against eachvalue individually. Any of the event properties or properties of objectscontained within the event structure may be used to refine the matchcriteria. For example, an auto-scaling policy may be be created to addmore web and database servers according to a ration if a businessapplication becomes heavily loaded, in order to reduce the load on thatapplication. In another example, an auto-scaling policy with businessawareness may be created that deploys additional business topologiesaccording to an algorithm if revenue per hour exceeds a threshold.

The metamodel allows the system to abstract business user definitionfrom technical definition and allows an enterprise to track informationabout information technology resources that were unknown when the systemwas created. By abstracting the business user definition from thetechnical definition, the metamodel allows business users to define dataclasses consistent with their enterprise nomenclature, while still beingable to map them consistently to the internal system. For example a Tier4 data center is common technical classification of a data center thatgenerally has the highest uptime, however some enterprises refer to Tier4 data centers as Tier 1 and the metamodel would allow Tier 1 and Tier 4to be used interchangeably, depending on the definition used by aspecific enterprise. This provides a benefit to the enterprise byeliminating the need to write specific policies for each instance or theneed to customized each abstraction layer for individual instances. Bytracking information about IT resources that were unknown when thesystem was created, the metamodel allows business users to arbitrarilydefine elements of data to track and create policy after the system wasbuilt, also allowing the users to track a specific piece of informationthat is defined for any resources that are managed by the system.Resources could be networks, storage, servers, workloads, topologies,applications, business units, and the like.

In other further embodiments, the policy-driven infrastructure as aservice may also include additional components. Additional componentsmay be reporting, auditing, and federated identify management systems.

In embodiments, the present invention may provide for a visual policyeditor, which provides an easy-to-use graphical user interface to afeature-rich and extensible policy engine, using a visual programminglanguage and policies, eliminating the need for the user to writecomplex code to define, assign, and enforce policies. The graphical userinterface allows the user to author policies using a visualdrag-and-drop interface or an XML editor. The visual programminglanguage functions could be loops, variables, branching, switching,pulling of attributes, code execution within a policy, and the like. Forexample the visual programming language could access an external pricingengine that contains live pricing information, then make a decision onthe next step of the execution process, based on the information itreceives from the pricing engine. In some embodiments, policies can beenforced at an object level. Objects could be organizational groups,individual projects, different deployment environments, and the like.Policies could be access control policies, firewall policies,event-based policies and the like. Access control policies could includepackages, scripts, and the like. Access control policies could bedefined by cloud or other service providers, network attributes, networkgeographic location, security policies, and the like. Firewall policiesmay include port and network ACL lists that are applied as policies andapplied at container level to ensure conformance to corporate standardsfor port opening/closing. Event based policies relate to service levelmanagement and could include compound threshold rules that trigger anaction, lifecycle event management, compound event sequences, signaturedetection, and policy stacking, and the like. For example, a policycould be defined to restrict deployment of a computing workload toprivate internal clouds in a specific country.

In embodiments, the present invention may provide for automatedprocesses to support a continuous integration cycle to migrate acomputing workload from a development environment to an operationalenvironment. The continuous integration cycle may include maintaining acode repository, automating the build process, self-testing the buildprocess, automatically deploying the build, and the like. The policiesand metamodels defined and assigned to the computing workloadenvironment follow the build from its creation using the Builder Modulethrough to its publication into the Consumption module. This capabilityallows the enterprise to greatly reduce the time required to develop,test, deploy and update a computing workload. Continuous integration mayalso include ensuring the modernization, patch management, conformingconfiguration of deployed cloud-computing services. The embodiments mayprovide this service as DevToOps policy allowing centrally definedservice definition that deployed cloud-compute services can compareagainst and either update themselves when their configuration no longermatches, warn administrators of non-conformance, rewrite themselves backto conformance when configurations of the cloud-compute services aremade arbitrarily, and the like.

As noted before, various embodiments of the present invention providestandardized access, management, or control to different types ofcloud-computing resources on a self-service, on-demand basis without theuser needing to know the specific instructions or details for accessing,managing, or controlling those different target cloud-computingresources.

In order to translate a standard management action for a cloud-computingservice to instructions for its cloud-computing resource and/orinstructions for a computer workload to be executed on a cloud-computingresource, some management modules may comprise a cloud model data store109 that maps the management action to the appropriate cloud-computingresources. Subsequently, the management action is translated to one ormore instructions for a target cloud-computing resource and/or acomputer workload operating thereon. For example, a topology is anexample of a cloud service, where a topology is comprised of a number ofindividual virtual machines orchestrated together. A common managementaction to perform on a topology is to start it. This simple topologystart action within the management layer gets turned into a number ofindividual instructions that get passed down into the cloud service bus,such as (1) calculate the Start Up order for topology, (2) initiateordered startup one VM at a time, (3) as VM's come up, attach volumesthat are associated with the VM, (4) install any packages and softwareonto the VM's, and (5) once all machines are up and running the topologystatus changes to running

Cloud service bus 115 may be utilized to parse management instructionsreceived from the manager module 26, transform the managementinstructions to instructions compatible with the target cloud-computingresource, and route the management instruction to the targetedcloud-computing resource. In some embodiments, the cloud service bus 115then routes the instructions to the application program interface (API)for a target cloud-computing resource from external commercial cloudresource 127, or to the virtual machine manager (VMM) (e.g., hypervisor)for a target cloud-computing resource from internal private cloudresources 130.

FIG. 2B illustrates an example flow of management instructions frommanager module 26 to a commercial cloud API. As illustrated in FIG. 2B,provisioning module 106 of management module 26 transmits a managementaction for a cloud-computing service currently deployed within a virtualprivate cloud (VPC) or a cloud-computing resource to be deployed in thevirtual private cloud. Cloud service bus 115 receives the managementaction, parses (215) the action, and utilizes cloud model data store 109to resolve (218) the action to the appropriate one or morecloud-computing resources associated with the cloud-computing service.

These management actions are then translated to target-specificinstructions (e.g., commercial hypervisor API calls) by atarget-specific adapter that connects one or more cloud-computingresources to one or more other cloud-computing resources or to thecloud-computing platform. Given the disparate types of cloud providersand systems that exist, each having a proprietary interface for access,management, and control, some embodiments utilize a target-specificadapter 209, 212 in order to connect to and interface withcloud-computing resources provided by those different cloud providersand systems.

In the illustrated embodiment, once target-specific instructions havebeen determined, cloud service bus 115 routes the instructions to AmazonEC2® adapter 209, which transforms (221) (or translates) the managementaction to one or more target-specific instructions that are routed tothe Amazon EC2® API 203 for execution on the Amazon EC2® cloud-computingenvironment 206. Other adapters 212 illustrated include Microsoft®System Center Virtual Machine Manager, a VMWare® adapter, a Rackspace®Adapter, and a Sun® VMOpsCenter Adapter. Other APIs illustrated includethe Citrix® XenCenter® API 122 used to interface with a XenCentercloud-computing environment 128, or a Sun® xVMOpsCenter API 123 used tointerface with the xVMOpsCenter cloud-computing environment 129.

In some embodiments, the instruction is transmitted to the Amazon EC2®API 203 through connection module 118, which implements a secure (i.e.,encrypted) connection between the platform and the cloud-computingenvironment, the platform and client network, or the cloud-computingenvironment and the client network to ensure secure communicationbetween the platform and environment. Connection module 118 may beutilized, for example, when a cloud-computing environment does notprovide a secure connection between a client and its cloud-providernetwork (e.g., a commercial cloud provider does not provide a secureconnection as feature of their cloud services). Additionally, connectionmodule 118 may be deployed and utilized on the client-side network whenthe client lacks a secure connection with the platform.

FIG. 3 provides a diagram illustrating an example of provisioning inaccordance with an embodiment of the present invention. As illustratedin FIG. 3, upon receipt of a provisioning request from virtual privatecloud (VPC) user interface 256, (asset) repository 262 is queried toextract all relevant metamodel information for the deployable assets(e.g., cloud-computing resource), such as a cloud-computing service havea specific topology. A simple topology may comprise a singlecloud-computing resource (e.g., operating system running on a virtualmachine) or a single tier of cloud-computing resource instances (e.g.,LAMP server), combined to provide a cloud-computing service such as aweb front-end. A more complex topology may comprise more than one tierof related cloud-computing resource instances such as a back-enddatabase service tier, middleware tier, and web front-end tier, eachtier performing a related service as part of delivery of an applicationto a set of users. The cloud model 109 is queried 280 to match thetype(s) of cloud-computing resource instance with an appropriateprovisioning request.

Upon a successful match, a policy management engine within governormodule 103 is queried to ensure current policies allow for provisioningthe cloud-computing resource from a cloud-computing environment, therebyproviding “valid” or “right” placement 283, consistent with the handlingof policy and the metamodel framework described above and throughoutthis disclosure. Topology interpreter 271 examines the request for therelationships of the cloud-computing resource instance(s) beingrequested and the access list (network port) assignments for theinstance(s), and then passes the information to provisioning agent 274.Provisioning agent 274, in turn, queues the startup requests for thecloud-computing resource instances based on the defined startup order ofthe topology and provisions the instances and access list requests 289through the virtual machine manager (VMM) API.

FIG. 4 is a diagram illustrating an example use of a connection modulein accordance with an embodiment of the present invention. Specifically,illustrated are two cloud-computing environments 306 and 309 eachrunning instances of either Microsoft® Windows (333) or a distributionof Linux (339). Each cloud-computing environment is configured with acloud firewall (315, 318) that blocks specified network traffic anddefends the environments against malicious network traffic.

Illustrated opposite the cloud-computing environments is client network303 (e.g., enterprise network) that has an instance of Linux 342 andSolaris (.times.86) operating and is equipped with it is an enterprisefirewall 312. In order for the cloud-computing environments (306, 309)to communicate with client network 303 over external network 321 (e.g.,the Internet), connection modules (324, 327, 330) are deployed on thethree entities in order to establish and maintain encryptedcommunication tunnels (348, 351) between the cloud-computingenvironments (306, 309) and the client network 303. In addition,connection modules (324, 327, 330) establishes these encryptedcommunication tunnels (348, 351) through allowed ports on the firewalls(312, 315, 318). In FIG. 4, the connection modules (324, 327, 330)establish one encrypted tunnel for management (351) and anotherencrypted tunnel for data (348). The Platform 20 may support thisconcept in a plurality of ways. For instance, the platform 20 may havethe capability to deploy what is commonly referred to as a VPN Overlaynetwork. This network creates secure communication channels between twoendpoints. In this instance, the network is setup by deploying‘connection modules’ into each of the different environments. Theconnection modules create secure connections between each other. Nowwhen guest machines are created, they are configured to VPN into theirappropriate connection module. From that point on all traffic istunneled through these secure endpoints and traffic can be routed acrossnetwork segments (i.e. in and between cloud providers and on premise).In another instance, a connection broker may rely on creating IPSectunnels between individual cloud providers and an on-premiseenvironment. This allows for traffic to traverse from one cloudenvironment to another via your own internal networks.

Further, the solution may be configured to combine a set of firewallconfigurations to enable a security zone model. Specifically as a newvirtual machine is brought online the system can reach out to all therelevant firewalls and set up the appropriate communication. This canmean that the system will configure a host based firewall on the VM, ahypervisor firewall the VM is running in, physical firewall devices, andother firewalls such as the host or hypervisor firewalls running on anyof the machines in the communication channel. This could mean thatstarting a VM will result in hundreds of firewall changes across thespectrum of all firewall devices and services that might be in thecommunication path.

In embodiments, the platform 20 may provide for end-to-end securityacross internal and external clouds, such as including secure data intransit from the platform to external clouds, secure access for users,secure encryption keys, secure logs for auditing, secure instances frombreaches, secure data in storage, and the like. The platform may providefor comprehensive security capabilities designed for agile IT operatingmodels, such as for network security, instance security, data security,access security, and the like. For instance, network security mayinclude an encrypted overlay network across multiple clouds andenterprise data centers, firewall integration with support formulticast, static IP management, point-to-point routing, and the like.Instance security may include images with pluggable host-based intrusiondetection systems and virus scanning, and the like. Data security mayinclude images that utilize configurable encrypted block storage as wellas SDKs for non-block storage requirements, and the like. Inembodiments, access security may include federated identity managementand granular role-based access control to instances and stores. Forexample, there may be need to store credentials in a third-partyencrypted key-store. The platform 20 may allow for storing of allcredentials in its own encrypted key-store or the ability to store inthird-party FIPS compliant key-store for added security and compliance.

In embodiments, the present invention may provide for a securefederation of internal and external cloud providers to operate as atrusted extension of an enterprise, establishing security policy andgovernance earlier in the lifecycle, combined with automated policyenforcement, to provide a more secure computing environment thanpreviously available. Comprehensive security may include host intrusiondetection systems and anti-virus protection, virtual firewalls,encryption of persistent data, secure connectivity, federated identitymanagement, and the like. Network isolation may be provided to include aredundant customer-controlled encrypted overlay network service thatprovides security in a cloud across multiple clouds and betweenenterprise data centers and commercial clouds; support multicast, staticIP management, point-to-point routing, firewall integration; and thelike. Instance isolation may be proved through stacks including activehost based intrusion detection and prevention packages; pluggable virusscanning integrated into each stack, and the like. Data isolation may beprovided, such as including a configurable encrypted block storagesystem as well as SDKs for non-block storage requirements; backups ofblock storage devices inheriting encryption; configurations forencryption of data to be transferred or stored in non-block storage, acloud manager providing granular role-based access control to instancesand stores; certificate and key-pair access control of instance log-in,such as connections only over strong-encryption SSL; and the like. In anembodiment, an overlay network may extend the client's network into thecloud provider, such as through bridges to corporate network (e.g. likeVPN); enhanced failover, load balancing, and peering; support extensionof corporate IP assignments (e.g. both DHCP and static); support forpoint-to-point connections (e.g. servers that can talk directly to eachother without having to go back to corporate data highway; ability tobridge multiple clouds; support for multicast; deployment of nodes inboth the external cloud provider and the corporate data high; and thelike.

Each of the security capabilities described herein may be provided for aparticular platform or infrastructure network, as applicable, or may beapplied across a security zone, as noted above, such that the securityzone, which may reside across multiple clouds or networks, is maintainedas a defined layer of security for all elements with the zone. Thus,security policies applicable to the zone may, by being associated withall workloads in zone in accordance with the metamodel and policyframework described throughout this disclosure, be enforced to ensurethat all such workloads are deployed, executed and consumed in a mannerconsistent with the current security policies for the zone. Theboundaries of each security zone and policies can be rapidly andconveniently updated, such as in the manager module 26, with assurancethat all workloads within the zone will be provided with updatedpolicies, as applicable, and that they will be handled consistent withsuch policies. As noted above, multiple security zones may be defined atdiffering levels of abstraction, such as geographic, business unit, usertype, physical network, cloud, cloud type, or the like. Workloads ineach zone will be required to satisfy the security policies of the zone,such that if a workload is deployed within overlapping zones, it will besubject to all policies for all such zones. For example, a transactionalworkload might have a security policy defining anti-virus requirementsbased on its presence in a security zone defined by the business unitthat handles that transaction, but it might also be subject to dataencryption requirements defined for a security zone defined by the legaldepartment for all business units of an enterprise. The platform 20 mayinclude the capability to view, manage, and edit security policies forsecurity zones, including to highlight and resolve any potentialconflicts among policies in the case of overlapping zones that apply toa workload. The ability in the platform 20 to plan, design, rapidlydeploy, and manage workloads and related policies that comply withvarying and overlapping security zones allows efficient satisfaction ofconstantly changing technical requirements (e.g., based on the latestanti-virus, firewall, and similar capabilities for a particular type ofcloud or other infrastructure resource), shifting regulatoryrequirements (such as satisfying legal requirements for security ofprivate user data), and shifting business requirements (such asproviding security features that satisfy customer preferences as tosecurity and convenience of use). Among other capabilities, thedefinition of security policies in the platform 20 at a level ofabstraction that is independent of the infrastructure and platformelements on which a workload is deployed allows an enterprise toestablish security zones that are vendor independent. A single securityzone can have a defined policy, such as to satisfy a legal requirement,that is associated with a workload, and that is applied within asecurity zone that contains firewalls, routers, storage systems, andother elements that come from disparate vendors. The platform 20automatically parses the policy and metamodel data associated with theworkload and ensures that the infrastructure elements, regardless oftype, are provisioned, updated and operated in accordance with thepolicy. This capability allows the enterprise to avoid a great deal ofeffort, often unsuccessful due to the time required and the rapidlyshifting requirements, that has previously been spent analyzing,discussing, and updating security policies, then configuring a host ofdisparate devices in an effort to comply with the changing policies.

In some embodiments, the method further comprises: deploying anapplication, where the application is associated with one or morecomputer workloads; and where each application and/or computer workloadis assigned a security zone; and tagging each application or computerworkload based on its security zone such that firewall rules to permitthe application to perform the computer workload are automatically andsimultaneously applied to multiple firewalls within and outside thesecurity zone assigned to the application. In some embodiments, theapplication may have complex security policies integrated within itduring the development process of the application. Each application orcomputer workload may be tagged to operate in a specific security zoneand communicate across security zones and each security zone may have adefined set of firewalls associated with it. In some embodiments thefirewalls may be virtual firewalls or physical firewalls. In someembodiments the firewalls may be provided by multiple vendors such asCisco, Juniper, and the like. In some embodiments the firewalls may becloud-based firewalls provided by vendors such as Amazon, VMWare, andthe like. For example, a database application that is tagged to operatein a highly secured security zone may require connectivity through abuilt-in firewall on the database server, a firewall upstream of theserver between the highly secured security zone and a less securecorporate network security zone, and a firewall between the less securecorporate network security zone and a security zone that connects to thepublic Internet. An adaptor automatically determines the IP addressesassigned to each of the firewalls required to permit the application toperform the computer workload; and simultaneously on each firewallestablishes rules required by the application, without restarting thesystem in which the firewall(s) operate. In other embodiments, themethod further comprises removing the firewall rules when theapplication or computer workload is removed or stopped.

As noted before, connection modules such as those illustrated may beutilized when a secure connection is not readily available between acloud-computing platform of an embodiment and a cloud-computingenvironment, between the cloud-computing platform of the embodiment andthe client network, or between the cloud-computing environment andclient the client network.

FIG. 5 is a diagram illustrating an example use of an identity module inaccordance with an embodiment of the present invention. In FIG. 5,enterprise network 406 is illustrated comprising identity module 29 inaccordance with an embodiment, and identity store 415. Illustratedopposite the enterprise network is a cloud provider network 403 that isproviding commercial cloud 409 (e.g., cloud-computing resource for acloud-computing service) to enterprise network 406.

Identity module 29 facilitates identity provisioning and de-provisioning418 (e.g., sign-on and sign-off) of a user to a service provided on apublic (e.g., commercial) or private cloud. In some embodiments,identity module 29 performs this service by authenticating the userusing the client's authentication system (i.e., identity store 415). Forexample, identity module 29 may authenticate a user using a locallydeployed service, such as Netegrity®, Oracle OAM®, Microsoft® ActiveDirectory, RSA® Cleartrust, Lightweight Directory Access Protocol(LDAP), and Kerberos. For instance, in one use case the platform 20could be configured to use Active Directory (AD) as its user store. Whena user wishes to console or desktop into a Virtual Machine that existswithin a cloud environment, they may be prompted for credentials. Theuser supplies their credentials and the platform authenticates againstAD. If there is a match, the platform 20 may log into the VM as Adminand create a new local account for the user based on the AD credentials.The user can now login to the VM. Another use case may deal withSoftware as a Service Integration, where a store, as described herein,may include the concept of purchasing user seats with cloud-basedservices, such as the commercially available service Salesforce. When auser, backed by the user's AD identity, orders a Salesforce user seat,the platform may provision an account for the user within Salesforce.When the employee is terminated via AD, or removes the user seat fromthe portfolio of an enterprise, the platform may de-provision theuseraccount within Salesforce. Users may also have the option to‘consume’ Salesforce, which redirects the user to Salesforce andperforms SSO. In another example, a user logs into the platform toaccess a Salesforce service, where first the user is authenticated (e.g.via AD, Netegirty), then based on his identity the platform 20 checks tosee if the user has an account in Salesforce. If not, the system maycreate one in Salesforce by calling the Salesforce account managementAPIS. The system may also look up addition information about this userby doing database queries or other types of lookups against internalsystems. If a user tries to access the service and the system detectsthe user should no longer have access (e.g. because the user has beenterminated for example), then the platform 20 will initiate a process todelete the account and clean up all relevant data. This detection andcleanup process could also be initiated by a periodic job that gets runautomatically by the platform 20 according to a schedule, by detectionof events (such as changes made to AD), and the like.

In some embodiments, once a user is successfully authenticated usingidentity store 415, identity module 29 redirects that user's credentialsto the cloud-computing service for authentication. Once thecloud-computing service successfully authenticates the user based on theforwarded user credentials, the user is redirected to the logged incloud-computing service. It should be noted that identity capabilitiesmay be applied to a cloud-computing resource as well as to a user, suchthat a specific cloud-computing resource may be authorized (based on itsidentity) to be used in connection with execution of a computerworkload.

FIG. 6 is a diagram illustrating an example use of a monitor module inaccordance with an embodiment of the present invention. As illustrated,governor module 103, monitor module 112 and private internal clouds 530reside on enterprise network 503. Commercial clouds 512 and 515 areproviding cloud-computing resources to the enterprise network 503.Monitor module 112 is responsible for monitoring the status andutilization of commercial clouds 512 and 515, and deploy a monitorcollector 506 and 509 to the commercial clouds 512 and 515 to collectand transmit such information to monitor module 112. The collectors mayprovide a plurality of functions. For instance, the first thing acollector may do is collect information coming from the guests. Thecollectors may also persist this data and respond to queries about thedata from the main Monitor Module. Being able to deploy these remotemonitors provides many benefits, such as lowering bandwidth costs due toall of this data not having to be sent across WAN links (e.g., the datastays on the collectors, and is only retrieved when a specific queryneeds it), increasing scalability where each collector node can handle alarge number of guests and as the number of guests increases additionalcollectors may be deployed to handle the load, and the like. In anotherinstance, a deployed VM (e.g. to a VM of an Amazon cloud) mayperiodically report back its status as well as a set of performancemetrics it was seeing. Based on this, the platform could detect if therewas an outage at that VM. It could detect this as soon as a machinereported, or if a machine fails to make a schedule report. Themonitoring system may be able to monitor events above and at thehypervisor. That is, the monitoring system may receive data not onlyfrom VMs, but that it may also be extended to call the low level APIsand metric systems of the hypervisors and cloud computing services andaggregate data from both locations to provide a holistic picture of theperformance and status of the system.

Aggregator 518 receives the information from individual monitorcollectors (506, 509) and monitor collectors (not shown) deployed toprivate internal cloud 530, and records the (received) monitorinformation for governance purpose, provisioning purposes, oradministrative purposes (e.g., event reporting). Monitor module 112 usestranslator 521 to interpret the monitor information from the commercialclouds (512, 515) and relays (524) the interpreted monitor informationto event console 527. Aggregator 518 also forwards monitor informationto governor module 103 to enable the module to govern the operations ofcloud-computing resources and cloud-computing services being managed bya cloud-computing platform in accordance with an embodiment. The monitorand collector modules may all reside inside the Enterprise Network 503as virtual appliances running within the internal virtualized EnterpriseNetwork 503 compute environment.

FIG. 7 is a diagram illustrating example governor module 103 inaccordance with an embodiment of the present invention. Governor module103 applies constraints, conditions, non-security policies, and securitypolicies on cloud-computing resources and cloud-computing services beingmanaged by a cloud-computing platform in accordance with an embodiment.In the illustrated embodiment, governor module 103 governs thecloud-computing resources and services by using monitoring information(from cloud-computing resources) provided by monitor module 112, andthen issuing management actions (e.g. VPC actions) to cloud-computingresources based on monitoring information and the constraints,conditions, and policies the governor is applying to the cloud-computingresources.

In order to apply the constraints, conditions, and policies, governormodule 103 uses analytics engine 609 to analyze monitoring informationfrom monitor module 112 and, then, uses the analysis information toapply the constraints, conditions, and policies through policy engine603. Based on the application of the constraints, conditions, andpolicies, policy engine 603 instructs action engine 606 to issuemanagement actions to provisioning module 106 (e.g., issue managementactions to increase or decrease the number of cloud-computing resourcesbased on CPU utilization of the existing resources). For instance, whena new threshold policy gets created the threshold may be pushed downinto the analytics engine. The analytics may be continuously evaluatingthe flow coming in from the monitor modules and evaluating the flowagainst its threshold definitions. When a threshold is violated an eventmay be created and sent to the policy engine. The policy engine may thendetermine which action to take and pass the instruction off to theaction engine. In the case of auto-scaling the action engine may pass aprovisioning or de-provisioning request to the provisioning module.

In embodiments, the flow amongst the monitor and provisioning modulesand the analytics and policy engines may be as follows. In a step 1, theMonitor Agent may collect data in a variety of ways including pollingthe system for status, or alternatively it may receive information sentto it by some even or periodic sending of data by the application orservice being monitoring. Step 2, the Monitor Agent rolls up the data,where the roll up may include aggregating and summing data, and it mayalso include filtering data out that is not required or withinthresholds that don't need to be reported on. The data may be collectedso it may be sent in bulk efficiently rather than parceled out andcausing many interrupts. Step 3, the Monitor Agent may transmit data tothe Analytics Engine. The analytics engine may then parse the data andagain may perform aggregations, summation, filtering, or othercorrelation. Step 4, the analytics engine may then evaluate data againsta set of configured thresholds that are configured by the policy engine.If a threshold is found to have been exceeded, then the event system maykick in and take action based on the configured policy. Step 5 isexecuting the configured policy action, which could include notificationof some set of individuals or other system by phone, email, pager, txtmessage, event bus, programmed call out, shell script, or otherconfigured mechanism.

In the illustrated embodiment, governor module 103 utilizes instanceplacement 627 to make decisions on where to place an instance of acloud-computing resource. For example, when an image is built for acloud-computing service using a builder module, it can be tagged (e.g.,using a metamodel) to prevent deployment to certain zones (e.g.,security zone) as part of a security policy, cost control policy,performance or availability management policy. Instance placement 627may cause the governor module 103 to place an instance of acloud-computing resource based on availability of client-computingresources, or (real-time) performance of particular clouds. VirtualMachine (VM) lifecycle management 624 may be utilized by governor module103 to determine and enforce expiration of virtual machines Auto-scale621 may be utilized by governor module 103 to scale computer workloadsbeing performed on one or more a cloud-computing resources. Auto-scale621 can add or remove instances of cloud-computing resources to increaseor decrease the performance of computer workloads based on monitoredresource consumption, a schedule, or a set of rules. Availability &disaster recovery 618 may be utilized when operation of acloud-computing resource has failed and the failed cloud-computingresource must be recovered according to the constraints, conditions, orpolicies governed by governor module 103.

FIG. 8 is a flowchart illustrating an example method 700 in accordancewith an embodiment of the present invention. Method 700 begins atoperation 703 by providing a user a virtual private cloud (VPC)configured to utilize a cloud-computing resource from the plurality ofcloud-computing resources to perform a computer workload. At operation706, method 700 then receives a request to perform the computer workloadwithin the virtual private cloud. For example, in some embodiments, thecomputer workload may be an application, a server, a platform (e.g.,LAMP server), or an infrastructure element (e.g., load-balancing unit).In another example, receiving the request to perform the computerworkload comprises: receiving an application to be migrated tocloud-computing environment for execution; and identifying the computerworkload as necessary for executing the application. In yet anotherexample, method 700 receives a computing workflow to be performed in thecloud-computing environment; and then identifies a computer workload toperform the computing workflow.

Then, at operation 709, method 700 identifies a cloud-computing resourceto perform the computer workload. For example, identifying thecloud-computing resource may be based on a workload score determined bya scoring logic. For instance, the scoring logic may be based on abusiness attribute of the computer workload (e.g., whether it ismission-critical, required to satisfy a legal obligation, required foran SLA, or the like), a technical attribute of the computer workload(e.g., storage required, bandwidth required, processing speed required,or the like), an operational attribute of the computer workload (time ofday for availability, seasonality, or the like), or any combinationthereof In some embodiments, the scoring logic may further be editableor grouped into collections of logic to provide scoring plans forexamining multiple types of computer workloads different ways (e.g., agrid computing scoring plan scoring workloads for an applicationdestined to a cloud-computing service hosting grid workloads). In otherembodiments, the scoring logic may be editable to allow enterprises tostore business, technical, and operational attributes of a computingworkload, using enterprise-specific nomenclature or to allow for anenterprise to adjust attributes to a preferred score, consistent withbusiness, technical, or operational metrics. In other embodiments, thescoring algorithm could be configurable, to weight the differentattributes of the scoring algorithm based on business, technical, andoperational metrics. The scoring algorithms are configurable in multipleways and the scores are created by a set of rules. The rules may becloud readiness rules, cloud value rules, or the like. The rule logicmay be expressed as javascript, java, or the like. The rules make itpossible to call any programming language system, configurationmanagement data system, or the like. In embodiments, the informationretrieved by the rules can be added to the metamodel for the specifiedinformation technology resource. Rules are evaluated according to aplan. A plan is a set of rules the weighting value assigned to eachrule. For example, when a rule is a business criticality rule based on aset of metrics, and a plan is a “business contingency” plan, where thegoal is to move infrastructure into a cloud that has disaster recoveryand high availability built into it, the a system with the highestbusiness criticality weight, may be moved first. When an item has beenevaluated, the weighting values assigned to that item will be added tothe metamodel associated with that item. Items could be systems,servers, databases, applications, workloads, and the like. Filters areused to decide where items should be placed. The filter first identifiesthe places where an item can be placed and then places the item in theplace that is determined to be the best fit for the item. If dataassigned to score an item is complete, it will be marked as scored andappear in relevant reports. If data assigned to score an item isincomplete, the items will be identified as requiring remediation.Different data attributes can be tagged as requiring different classesof individuals to complete the required information and preventing otherclasses of individuals from doing the same. Classes of individuals couldbe business users, technical users, and the like.

In embodiments, the present invention may provide for the categorizationof workflows into workloads. Each computing workflow can be separatedinto a set of distinct workloads, each workload having requirements suchas input, storage, processing, output, and the like. Each computingworkload may have policy and metadata information stored by the systemthat includes what computing workload it is, how the computing workloadis used, how quickly the computing workload needs to be performed, andthe like. Each computing workload is instantiated through a customizableworkflow. For example, a computing workload may require approval by abusiness unit, development team, quality assurance team, and anoperations team. The workflow in this example would then be instantiatedto solicit approval of requirements defined by each workload from eachteam.

At operation 712, method 700 provisions the cloud-computing resourcefrom the plurality of cloud-computing resources for the virtual privatecloud (VPC). For example, method 700 may provision by locating anunreserved cloud-computing resource within the plurality ofcloud-computing resources; and reserving for the virtual private cloudthe unreserved cloud-computing resource.

Method 700 deploys the cloud-computing resource within the virtualprivate cloud at operation 715. Where the cloud-computing resource is avirtual computing resource, the virtual computing resource may bedeployed under control of a virtual machine manager. In otherembodiments, method 700 may deploy the cloud-computing resourceaccording to a condition for the computer workload, where the conditiondetermines if or when the cloud-computing resource can be deployedwithin the virtual private cloud to perform the computer workload. Forexample, the condition may require that the computer workload for backupservers only operate during evening periods. To optimize performance ofa computer workload, some embodiments may deploy a pre-determined set ofcloud-computing resources to optimize the computer workloads'performance.

Once the cloud-computing resource is deployed to the virtual privatecloud, method 700 uses the cloud-computing resource to perform thecomputer workload at operation 718. Then, at operation 721, method 700applies a policy or constraint on the cloud-computing resource. Forexample, where a policy is associated with a computer workload, method700 may govern operation of the cloud-computing resource performing thecomputer workload in accordance with the policy.

FIGS. 9A-9D are screenshots of an example user interface in accordancewith some embodiments of the present invention. FIG. 9A depicts ascreenshot of a user interface to a planner module, which can plan acloud-computing service comprising one or more cloud-computingresources. In the screenshot shown, a corporate blog application and alogistics application are shown being planned for creation. FIG. 9Bdepicts a screenshot of a user interface to a builder module, which canbuild a cloud-computing service comprising one or more cloud-computingresources. The illustrated screenshot shows a stack being built on aLinux base stack. FIG. 9C depicts a screenshot of a user interface to aconsumption module, which can be utilized by a user to subscribe to anduse a cloud-computing service comprising one or more cloud-computingresources. The screenshot for the consumption module user interfaceallows a user to subscribe to and use such instances as Linux, Windows®2003 IIS server, and Flatpress Blog Engine, and more FIG. 9D depicts ascreenshot of a user interface to a manager module, which can beutilized by a user to manage cloud-computing service and its one or morecloud-computing resources. The screenshot shows the user interface ofthe manager module allowing a user to issue commands to cloud-computingservices, such as stopping, running scripts, creating storage volumes,and attaching storage volumes to the cloud-computing services. Theinterface may be a web page, command line, development tool, and thelike, such as eclipse or visual studio, and apps such as iphone/ipadapplications. In embodiments, an API may be called that will allow auser to make changes and consume services in a way that is consistentwith the company policy. For instance, an API may be implemented as aREST and SOAP interface, which are standard formats for services thatmay be exposed over different protocols in a standard way.

Project team members may have substantially different functional roles,and as-such, each user interface module may be designed to support oneor more of the functional roles encountered in the Systems DevelopmentLife Cycle (SDLC). The user interface Modules represented in FIGS. 9A-9Dmay be accessed and used by project team members and presented for thefunctions those team members may have in the systems development lifecycle of the project for which the cloud-computing services are beingdesigned, built, provisioned, and consumed. As well, the interface toeach module may be designed to best service the type of function thatwill be performed as part of the SDLC phase being addressed. The userinterface components of each module may access the Policy Engine inorder to represent the controls, access, and assets available to thefunctionally specific users in order to preserve the integrity, securityand compliance of the cloud-computing services each aspect of the SDLCphase.

The present invention may provide a comprehensive enterprise-gradefacility based on federation of IaaS, PaaS, SaaS, and the like,delivered by a plurality of internal and external cloud providersenabling advantages including the ability to intelligently govern,secure, and manage a user's critical applications for cloudenvironments; automate planning, building, sharing, and runninglifecycle for optimal speed and efficiency, providing policy driven,end-to-end identity management across the plurality of cloudenvironments; deliver comprehensive cost, performance, and consumptionvisibility; integrate with a client's existing IT infrastructureincluding asset management, authentication and authorization, audit andgovernance, performance monitoring, and chargeback billing systems; andthe like. In other embodiments, the present invention may provide for alayer that allows the input of chargeback billing data to be importedfrom reporting tools or integrated monitoring systems and the ability to“over recover” or “under recover” charges from the service provider'sspecified rates, providing a comprehensive audit trail. For example, ifan enterprise is providing its internal users value-added services basedon the Amazon EC2 service, the enterprise can add its own costs to therate charged by Amazon, to recover the costs the enterprise incurs whenproviding the service to the internal users.

Referring to FIG. 10, an alternate module structure is depicted for theplatform 20 for providing capabilities to specific roles across thelifecycle, including a planner module 1002 (which may have any of thecapabilities described for the planner module 23), a designer module1004 (which may have any of the capabilities of the design module 29), acenterpoint module 1008, a manager module 1010 (which may have any ofthe capabilities of the manager module 26), and an access module 1012,which may collectively provide the platform with management, security,policy, governance, and the like functionality as described herein. Theplatform 20, as in the example depicted in FIG. 1 and detailed herein,is able to provide virtual private cloud facilities to users through thecloud provider environment, including external private clouds 1014 (e.g.external companies, such as Savvis, with dedicated connectivity andinstances), internal private clouds 1018 (e.g. current data centers thatsupport virtualization and cloud), secure public clouds 1020 (e.g.multi-tenant architectures, such as Amazon), PaaS providers 1022, SaaSproviders 1024, and the like. The functions depicted in FIG. 1 of theCloud-Computing Platform 20 map directly to the modules depicted in FIG.10, Platform 20 as follows; Planner Module 23 maps directly to thePlanner Module 1002, the Builder Module 29 maps directly to the DesignerModule 1004, the Consumption Module 32 maps directly to the CenterPointModule 1008, and the Manager Module 26 maps directly to the ManagerModule 1010. The Repository Module 30 of FIG. 1 is encompassed in theplatform database and functions provided and depicted as Governance,Policy, Security and Management for the Platform 20. The Access Module1012 provides a single sign-on function for the platform 20 allowingconnectivity to enterprise identity systems such as LDAP/AD, which isshown in FIG. 5 and maps to the Identity Module 29. The planner module1002 may help analysts and architects streamline application migrationactivities by analyzing and scoring application workloads to evaluatetheir suitability, generate recommendations right-sizing andright-placement across multiple internal as well as external serviceprovider options. The planner module 1002 may also allow analysts andarchitects the ability to construct new rules and rule-sets forevaluating new and different types of application workloads inevaluating cloud readiness, cloud value, and right placementrecommendations. The designer module 1004 may provide technical userswith a graphical workbench to rapidly assemble policy-compliant stacks,workloads, and applications for any number of deployment environments.It may include a library of pre-built, reusable assets with the abilityto create and publish new ones. The centerpoint module may facilitatethe sharing and collaboration of cloud assets with fine-grain accesscontrols, search capabilities, automated notifications, rating andcommenting of assets, and access to detailed consumption reports. Themanager module 1010 may provide a unified interface to streamlinedeployment and runtime management for any number of cloud providers,including monitoring of running instances and detailed performance andcosting information. The access manager 1012 may deliver federatedidentity management to the full range of highly dynamic services managed(e.g. including IaaS, PaaS, and SaaS providers) along with the platform20. It may also integrate with and support a plurality of protocols,such as LDAP, Active Directory, X.500, and the like. In each case themodules represented may reside on a common Policy Engine that ensuresthe integrity and security of the system by enforcing policy and accessrights for the users accessing each module are only accessing thoseassets and functions that are allowed for their functional role.

The platform 20 may exist in an IT ecosystem and utilize a plurality ofboth cloud-based and dedicated resources to integrate with the platform,where these integration points may take place both within anenterprise's existing IT infrastructure, and also extend out to aplurality of external providers and services, such as in applying toboth pre-production and production cloud environments. FIG. 11 providesan example illustration of the IT ecosystem as a plurality of these bothdedicated and cloud-based resources, including security 1102 (e.g. proxyintegration, host firewalls, hypervisor-based firewalls, host intrusiondetection, external key store, VLAN management, VPN, file systemencryption), IaaS 1104, external clouds 1108 (e.g. GoGrid, Amazon,Terremark, Fujitsu, Savvis, vCloud Director based Cloud offerings (Delland others), Joyant, vCloud Express offerings), storage 1110 (e.g. NFS,VMFS, SAN, Amazon S3, EMC, Oracle, Netapp), internal clouds 1112 (e.g.vSphere, Cloud.com, Eucalyptus, OpenStack, HyperV, Xen, KVM), PaaS 1114(e.g. Hadoop, Azure, EnterPaaS, Vmware CloudFoundry, IBM WebSpheree,Oracle WebLogic), orchestration 1118 (e.g. Autoscaling, Scriptingframework, File management), SaaS 1120 (e.g. Salesforce.com, Intuit,Google Apps), desktop as-a-service 1122 (e.g. Citrix, VMware, Cicero,Framehawk), accounting and chargeback 1124 (e.g. Ariba, SAP), continuousintegration 1128 (e.g. Collabnet, Apache Maven, Subversion, Jenkins CI),disaster recovery 1130 (e.g. Double Take), network services 1132 (e.g.DNS, DHCP, Load Balancer, NTP), governance 1134 (e.g. Axway, SOASoftware), performance monitoring 1138 (e.g. Ganglia, Collectd),identity management 1140 (e.g. Oracle OAM, Netegrity, LDAP KerberosSAML, RSA ClearTrust, Active Directory), and the like.

Referring to FIG. 12, the platform 20 may deliver unified governance forIaaS, PaaS, and DaaS workloads across a federation of internal andexternal cloud providers 1202, 1204, 1208, to leverage scheduling andplacement policies to optimize the placement and type of workloads thatare being run on a temporal or scheduled basis. As an example, duringthe day, scheduling policies may devote much of the cloud computecapacity to running virtualized desktops, however, as the eveningapproaches and workers go home, the demand for DaaS drops, and the cloudcompute capacity can be utilized for compute intensive applications suchas financial trade simulation models running on grid-compute nodes. Thispolicy approach also allows cloud-compute services to be shifted tolower cost Cloud Provider environments. As such, the inherent policiesprovided by the platform 20 lower costs by maximizing the utility of thecloud infrastructure while also having the same effect of lowering costsby aligning workload placement to provider environments best fit to runthose types of workloads.

In embodiments, policy-driven governance may be integral to the platform20 and to the end-to-end lifecycle to create and enforce policies in aclosed-loop governance lifecycle, such as extensible policy framework tosupport unique needs, customizable approval workflow, integration withcorporate audit and governance systems, establishing a foundation foraudits and policy reviews, and the like. Referring again to FIG. 10, theplanner module 1002 may contribute to the creation of design-timepolicies, such as access rights, right-placement parameters, regulatoryrestrictions, and the like. The designer module 1004 may contribute tothe creation of run-time policies, such as auto-scaling parameters,maximum instances allowed, and the like. The centerpoint module 1008 mayenforce access policies, ensuring that the right users are accessing theright assets and deploying those assets in the right places, and thelike. The manager module 1010 may enforce run and design-time policies,such as allowing cloud-compute services to scale up or down in responseto load or other conditions in the environment as well as prevent usersfrom consuming arbitrary amounts of compute resources, and the like. Theaccess module 1012 may enforce access policies across internal andexternal service providers, and the like. In this way, policy creationis an integrated process across the platform.

In embodiments, the present invention may provide many advantages,including a unified interface to deploy and monitor workloads acrossinternal and external service providers; rapid creation of new workloadsand re-architect existing ones for cloud portability and on-demandprovisioning; automated right-sizing, right-placement, and user accessdecisions via enforceable policies; deployable and dynamicallyconfigurable complex application topologies in real-time; meter usagewith integrated chargeback and billing; real-time monitoring and supportfor auto-scaling and bursting across multiple clouds; federated identitymanagement across internal and external providers; pre-built library ofre-usable stacks to accelerate assembly and deployment; incorporatedend-to-end security that spans network, access rights, instances, anddata; complete visibility and transparency via role-based reports,policy reviews, and audit trails; creation and enforcement of policiesin a closed loop governance and management lifecycle; score andprioritization of workloads for migration; consolidated monitoring,reporting and metering including integrated chargeback/billing; platformdeployment flexibility to locate securely on premises or as a SaaSoffering; and the like.

Automated governance through the present invention may enable newcapacity optimization strategies to maximize the utilization of hardwareand server resources through the dynamic placement of different sizedworkloads, where the platform may manage placement of workloads fromlarge (e.g. production applications, load test environments) to small(e.g. virtual desktops), perform monitoring and manage applicationauto-scaling, roll-overs seamlessly to external cloud providers wheninternal capacity limits are reached, and the like. Use of the platformacross a plurality of cloud workloads, may allow the user to create newcapacity optimization strategies to make the most from a user's internalresources, such as though dynamic placement of different sizedworkloads, and combining these workloads to achieve high capacity and/orutilization of a given computing facility. To enable this, the platformmay perform application monitoring, workload placement, workloadscheduling as well as workload and application auto-scaling, and thelike, as appropriate.

In embodiments, the present invention may provide for a self-serviceenterprise application store, which provides access to a global,cross-platform, software distribution network for multiple serviceofferings, accessible through any web browser such as Microsoft InternetExplorer, Mozilla Firefox, Google Chrome, and the like. In embodimentssuch an enterprise application store can be used to drive virtualdesktop installations, provision enterprise server systems, connect toSaaS solutions, and integrate with custom, third-party software andservices and the like. In embodiments such an enterprise applicationstore can provide a full range of services to manage and monitor theprovisioning of services. The services could be a wide range of servicerequired by enterprises, such as software publishing and ordering, orderapproval, license management, chargeback and invoicing, integration witha global marketplace, and the like. The service offerings could beinfrastructure as a service (IaaS), platform as a service (PaaS), andsoftware as a service (SaaS) offerings, and the like. In furtherembodiments, the service offerings could be internal services, opensource services, third party services, and the like. In other furtherembodiments, the present invention may provide for a single sign-oncapability for each of the service offerings.

The application store software publishing capability can include toolsto package and publish software and services to the application store,such as to allow a customer of services from the application store todevelop its own software and publish its own service, which in turn canbe made available through the application store. For example, a servicebuilder could obtain from the enterprise application store a set ofservices that provide storage capability and that retrieve a given setof input data, such as from various sources. The service builder canthen build its own service by adding a processing service that processesthe inputs into outputs that are stored in the data storage and madeavailable for other users who wish to have those outputs, such as fortheir own services. The new service can be stored in the enterpriseapplication store for further use by others. A user of the enterpriseapplication store may organize software services into manageable“catalogs” to control user access and experience, apply rich security,usage, and billing policies to entire catalogs, catalogs of catalogs,individual offerings, configure workflows for publishing approvals, andthe like.

The application store software ordering capability can include anintuitive interface for browsing and purchasing published software andservices, allow a user to purchase software and services for itself oron behalf of an entire group of users, schedule deployments uponpurchase or for a date in the future, and the like. In otherembodiments, the software ordering capability can include a customizableuser interface, which allows a user to build browsing and orderinginterface widgets customized to the needs of the user and then makethose widgets available to the user's users through the applicationstore.

The software application store order approval capability can include anintegrated purchase approval system that follows a flexible workflowthat is consistent with industry standards and best practices, apluggable service model to allow for transparent integration withthird-party approval systems, and the like. In other embodiments theorder approval capability includes a highly customizable workflow thatcan be built from individual approval systems that can bechained-together in various and selectable sequences. These various andselectable sequences can be varied by catalog, catalog item, user, usergroup, and the like.

In embodiments, the ordering and approval capabilities may be filteredor otherwise limited by the user who is placing the order and/or theapplication on whose behalf the order is being placed. Results madeavailable to a user and/or an application may be pre-filtered to onlyshow those services that are available to that user and/or application.The user can be categorized by its role in the organization, or thelike. The application can be categorized by its role, function, assignedpolicies, and the like.

The license management capability can include the creation of detailedlicensing polices for individual software modules and services, acomponent model to allow for integration with a wide range of vendorlicensing servers, runtime license checking when used with virtualmachine instances managed by the present invention, and the like.

The chargeback and invoicing capability can include an integrated changemanagement service with a configurable workflow, an adapter modelallowing for integration with existing financial and asset managementsystems, flexible pricing policies to allow for the establishment ofone-time charges or variable, usage based models, detailed organizationmodeling to allow for the distribution of cost across multiple costcenters, a flexible API that allows for the customization of the billingworkflow, and the like. For example, invoices could be posted directlyto the enterprise's enterprise resource planning (ERP) or payablessystem. In other embodiments, the present invention provides for theability to report chargeback and invoicing information to both the userof the service and the provider of the service from the softwareapplication store.

The capability to be integrated with a global marketplace can includepublish and subscribe access to an open market of verified software, anintegrated and stringent approval process of all submissions, access toa free catalog of packaged and open-source solutions, the ability of auser to package and upload its custom solutions for exposure to a globalmarket, the ability of a user to offer its software free or through alicensing/pricing model with automated chargeback, defined by the user,and the like.

In embodiments of the present invention, the software application storesupports the recursive publishing of applications. The recursivepublishing could include multiple iterations of an application publishedby multiple users, groups of users, enterprises, departments withinenterprises, and the like. For example, a first department of a firstenterprise could publish a first IaaS application back into the softwareapplication store, a second department of the first enterprise couldthen publish a PaaS application on top of the IaaS application publishedby the first department, and a third department of the first enterprisecould purchase the PaaS built on top of the IaaS application and thelicense fees paid by the third department would be split between thefirst and second departments.

In embodiments of the present invention, the data may be associated withthe content available in the software application store is and SKU,policy, SKU-Policy, catalog, and the like. An SKU is the primary entitydescribing content available through the software application store andis a pure virtual entity describing a potentially addressable softwarecomponent or interaction. An interaction can be a module, service, orthe like. An SKU can be defined as a software module or a servicebinding. A software model represents and offering comprised of one ormore physical software components, which can include source code,binaries, and the like, and the software module encapsulates theinformation needed to resolve binaries to locations on the sharedfilesystem, resolve binary dependencies, locate and provision associatedsoftware packages, and the like. A service binding models asoftware-as-a-service (SaaS) type offering and encapsulates theinformation needed to configure user-access to services, authenticate,bind to services, and the like. A policy will be applied as defined bystandard policy types, resolved, and applied by modules as describedelsewhere in this disclosure. In other embodiments, additional policytypes and definitions, with possible extensions to existing models, maybe added to support the software application store. An SKU-Policy is thecollection of policies associated with a given SKU and is an extensibleset of required or optional policies, which may be conditionallyapplied. A catalog is a collection of SKU's, filtered through accesscontrol, which can be applied at any level and made available to a groupof users. In further embodiments access control can be used to introducefurther groupings below the root level. A given catalog instance is arule-based expression of the root catalog. The root catalog is definedas the base set of SKU data available to all subscribers. All SKU'spublished in the root catalog are ‘inherited’ by all derived catalogs.For example, the basic catalog hierarchy can be root catalog->customercatalog->user catalog.

FIG. 13 depicts an embodiment of a software application store andmarketplace interaction structure, such as with software applicationstore services, including policy management, object models, processhandlers, repository providers, filesystem services and workflowservices, interfacing with marketplace services, such as with softwareapplication store workflow connectors, a shared filesystem, a softwareapplication store repository, and the like. The components could be amarketplace, shared filesystem, filesystem client, server components,repository, user interface, and the like. The marketplace is the central‘public’ repository that hosts the components listed in the rootcatalog, consists of a cluster of servers hosting a portion of theshared filesystem and a subset of the software application workflowcomponents to manage publishing, approvals, and browsing. Themarketplace may have its own basic user interface consisting of a fewsimple web pages, which provide access to the functionality of thesoftware application interface. The shared filesystem may be aclustered, parallel filesystem housing all the physical componentsneeded by the software application store and its offerings. Thefilesystem may be self-contained and may be used outside of the softwareapplication store or the system of the present invention. For example,marketplace catalog items can be hosted on the shared filesystem. Thesoftware application store may offer service components that simplifyfilesystem administration tasks and serve to isolate other componentsfrom the physical filesystem implementation. The filesystem client maybe a client that accesses the software application store sharedfilesystem namespace using local filesystem semantics. For example, thenamespace root may appear to the user as a local mount point or networkmapped drive. In other embodiments, a number of client-side componentsmay be installed to provide access to the software application storeshared filesystem through the filesystem client. The present inventionrequires at least one client package for each target operating systemand/or distribution. The filesystem client components are distributedthrough standard packages of the present invention that contain thescripts and attachment necessary to establish connectivity to thesoftware application store shared filesystem through the filesystemclient. The server components may be the core applications of thesoftware application store and include the base object model, workflowprocessing components, catalog and metamodel access providers, uniquepolicy definitions, and the like. The repository may be the collectionof data structures housing the software application store metamodel,configuration, and catalog data, and the like; and are internal to thesoftware application store. The user interface may be the collection ofinterface elements used to access software application storefunctionality and is implemented as a completely separate applicationthat integrates with the main user interface of the present invention,describe elsewhere in this disclosure. In further embodiments, thesoftware application store may make available shareable widgets that arean extension of the software application store user interface.

In other further embodiments, the software application store includesthe capabilities to display lists of applications, application ratings,application reviews, other social features, and the like.

The term tool can be used to refer to any apparatus configured toperform a recited function. For example, tools can include a collectionof one or more modules and can also be comprised of hardware, softwareor a combination thereof. Thus, for example, a tool can be a collectionof one or more software modules, hardware modules, software/hardwaremodules or any combination or permutation thereof. As another example, atool can be a computing device or other appliance on which software runsor in which hardware is implemented.

As used herein, the term module might describe a given unit offunctionality that can be performed in accordance with one or moreembodiments of the present invention. As used herein, a module might beimplemented utilizing any form of hardware, software, or a combinationthereof. For example, one or more processors, controllers, ASICs, PLAs,PALs, CPLDs, FPGAs, logical components, software routines or othermechanisms might be implemented to make up a module. In implementation,the various modules described herein might be implemented as discretemodules or the functions and features described can be shared in part orin total among one or more modules. In other words, as would be apparentto one of ordinary skill in the art after reading this description, thevarious features and functionality described herein may be implementedin any given application and can be implemented in one or more separateor shared modules in various combinations and permutations. Even thoughvarious features or elements of functionality may be individuallydescribed or claimed as separate modules, one of ordinary skill in theart will understand that these features and functionality can be sharedamong one or more common software and hardware elements, and suchdescription shall not require or imply that separate hardware orsoftware components are used to implement such features orfunctionality.

Where components or modules of the invention are implemented in whole orin part using software, in one embodiment, these software elements canbe implemented to operate with a computing or processing module capableof carrying out the functionality described with respect thereto. Onesuch example computing module is shown in FIG. 10. Various embodimentsare described in terms of this example-computing module 900. Afterreading this description, it will become apparent to a person skilled inthe relevant art how to implement the invention using other computingmodules or architectures.

Referring now to FIG. 10, computing module 900 may represent, forexample, computing or processing capabilities found within desktop,laptop and notebook computers; hand-held computing devices (PDA's, smartphones, cell phones, palmtops, etc.); mainframes, supercomputers,workstations or servers; or any other type of special-purpose orgeneral-purpose computing devices as may be desirable or appropriate fora given application or environment. Computing module 900 might alsorepresent computing capabilities embedded within or otherwise availableto a given device. For example, a computing module might be found inother electronic devices such as, for example, digital cameras,navigation systems, cellular telephones, portable computing devices,modems, routers, WAPs, terminals and other electronic devices that mightinclude some form of processing capability.

Computing module 900 might include, for example, one or more processors,controllers, control modules, or other processing devices, such as aprocessor 904. Processor 904 might be implemented using ageneral-purpose or special-purpose processing engine such as, forexample, a microprocessor, controller, or other control logic. In theillustrated example, processor 904 is connected to a bus 902, althoughany communication medium can be used to facilitate interaction withother components of computing module 900 or to communicate externally.

Computing module 900 might also include one or more memory modules,simply referred to herein as main memory 908. For example, preferablyrandom access memory (RAM) or other dynamic memory, might be used forstoring information and instructions to be executed by processor 904.Main memory 908 might also be used for storing temporary variables orother intermediate information during execution of instructions to beexecuted by processor 904. Computing module 900 might likewise include aread only memory (“ROM”) or other static storage device coupled to bus902 for storing static information and instructions for processor 904.

The computing module 900 might also include one or more various forms ofinformation storage mechanism 910, which might include, for example, amedia drive 912 and a storage unit interface 920. The media drive 912might include a drive or other mechanism to support fixed or removablestorage media 914. For example, a hard disk drive, a floppy disk drive,a magnetic tape drive, an optical disk drive, a CD or DVD drive (R orRW), or other removable or fixed media drive might be provided.Accordingly, storage media 914 might include, for example, a hard disk,a floppy disk, magnetic tape, cartridge, optical disk, a CD or DVD, orother fixed or removable medium that is read by, written to or accessedby media drive 912. As these examples illustrate, the storage media 914can include a computer usable storage medium having stored thereincomputer software or data.

In alternative embodiments, information storage mechanism 910 mightinclude other similar instrumentalities for allowing computer programsor other instructions or data to be loaded into computing module 900.Such instrumentalities might include, for example, a fixed or removablestorage unit 922 and an interface 920. Examples of such storage units922 and interfaces 920 can include a program cartridge and cartridgeinterface, a removable memory (for example, a flash memory or otherremovable memory module) and memory slot, a PCMCIA slot and card, andother fixed or removable storage units 922 and interfaces 920 that allowsoftware and data to be transferred from the storage unit 922 tocomputing module 900.

Computing module 900 might also include a communications interface 924.Communications interface 924 might be used to allow software and data tobe transferred between computing module 900 and external devices.Examples of communications interface 924 might include a modem orsoftmodem, a network interface (such as an Ethernet, network interfacecard, WiMedia, IEEE 802.XX or other interface), a communications port(such as for example, a USB port, IR port, RS232 port Bluetooth®interface, or other port), or other communications interface. Softwareand data transferred via communications interface 924 might typically becarried on signals, which can be electronic, electromagnetic (whichincludes optical) or other signals capable of being exchanged by a givencommunications interface 924. These signals might be provided tocommunications interface 924 via a channel 928. This channel 928 mightcarry signals and might be implemented using a wired or wirelesscommunication medium. Some examples of a channel might include a phoneline, a cellular link, an RF link, an optical link, a network interface,a local or wide area network, and other wired or wireless communicationschannels.

In this document, the terms “computer program medium” and “computerusable medium” are used to generally refer to media such as, forexample, memory 908, storage unit 920, media 914, and channel 928. Theseand other various forms of computer program media or computer usablemedia may be involved in carrying one or more sequences of one or moreinstructions to a processing device for execution. Such instructionsembodied on the medium, are generally referred to as “computer programcode” or a “computer program product” (which may be grouped in the formof computer programs or other groupings). When executed, suchinstructions might enable the computing module 900 to perform featuresor functions of the present invention as discussed herein.

While various embodiments of the present invention have been describedabove, it should be understood that they have been presented by way ofexample only, and not of limitation. Likewise, the various diagrams maydepict an example architectural or other configuration for theinvention, which is done to aid in understanding the features andfunctionality that can be included in the invention. The invention isnot restricted to the illustrated example architectures orconfigurations, but the desired features can be implemented using avariety of alternative architectures and configurations. Indeed, it willbe apparent to one of skill in the art how alternative functional,logical or physical partitioning and configurations can be implementedto implement the desired features of the present invention. Also, amultitude of different constituent module names other than thosedepicted herein can be applied to the various partitions. Additionally,with regard to flow diagrams, operational descriptions and methodclaims, the order in which the steps are presented herein shall notmandate that various embodiments be implemented to perform the recitedfunctionality in the same order unless the context dictates otherwise.

Although the invention is described above in terms of various exemplaryembodiments and implementations, it should be understood that thevarious features, aspects and functionality described in one or more ofthe individual embodiments are not limited in their applicability to theparticular embodiment with which they are described, but instead can beapplied, alone or in various combinations, to one or more of the otherembodiments of the invention, whether or not such embodiments aredescribed and whether or not such features are presented as being a partof a described embodiment. Thus, the breadth and scope of the presentinvention should not be limited by any of the above-described exemplaryembodiments.

Terms and phrases used in this document, and variations thereof, unlessotherwise expressly stated, should be construed as open ended as opposedto limiting. As examples of the foregoing: the term “including” shouldbe read as meaning “including, without limitation” or the like; the term“example” is used to provide exemplary instances of the item indiscussion, not an exhaustive or limiting list thereof; the terms “a” or“an” should be read as meaning at least one, one or more or the like;and adjectives such as “conventional,” “traditional,” “normal,”“standard,” “known” and terms of similar meaning should not be construedas limiting the item described to a given time period or to an itemavailable as of a given time, but instead should be read to encompassconventional, traditional, normal, or standard technologies that may beavailable or known now or at any time in the future. Likewise, wherethis document refers to technologies that would be apparent or known toone of ordinary skill in the art, such technologies encompass thoseapparent or known to the skilled artisan now or at any time in thefuture.

The presence of broadening words and phrases such as “one or more,” “atleast,” “but not limited to” or other like phrases in some instancesshall not be read to mean that the narrower case is intended or requiredin instances where such broadening phrases may be absent. The use of theterm “module” does not imply that the components or functionalitydescribed or claimed as part of the module are all configured in acommon package. Indeed, any or all of the various components of amodule, whether control logic or other components, can be combined in asingle package or separately maintained and can further be distributedin multiple groupings or packages or across multiple locations.

Additionally, the various embodiments set forth herein are described interms of exemplary block diagrams, flow charts and other illustrations.As will become apparent to one of ordinary skill in the art afterreading this document, the illustrated embodiments and their variousalternatives can be implemented without confinement to the illustratedexamples. For example, block diagrams and their accompanying descriptionshould not be construed as mandating a particular architecture orconfiguration.

While the invention has been described in connection with certainpreferred embodiments, other embodiments would be understood by one ofordinary skill in the art and are encompassed herein.

The methods and systems described herein may be deployed in part or inwhole through a machine that executes computer software, program codes,and/or instructions on a processor. The present invention may beimplemented as a method on the machine, as a system or apparatus as partof or in relation to the machine, or as a computer program productembodied in a computer readable medium executing on one or more of themachines. The processor may be part of a server, client, networkinfrastructure, mobile computing platform, stationary computingplatform, or other computing platform. A processor may be any kind ofcomputational or processing device capable of executing programinstructions, codes, binary instructions and the like. The processor maybe or include a signal processor, digital processor, embedded processor,microprocessor or any variant such as a co-processor (math co-processor,graphic co-processor, communication co-processor and the like) and thelike that may directly or indirectly facilitate execution of programcode or program instructions stored thereon. In addition, the processormay enable execution of multiple programs, threads, and codes. Thethreads may be executed simultaneously to enhance the performance of theprocessor and to facilitate simultaneous operations of the application.By way of implementation, methods, program codes, program instructionsand the like described herein may be implemented in one or more thread.The thread may spawn other threads that may have assigned prioritiesassociated with them; the processor may execute these threads based onpriority or any other order based on instructions provided in theprogram code. The processor may include memory that stores methods,codes, instructions and programs as described herein and elsewhere. Theprocessor may access a storage medium through an interface that maystore methods, codes, and instructions as described herein andelsewhere. The storage medium associated with the processor for storingmethods, programs, codes, program instructions or other type ofinstructions capable of being executed by the computing or processingdevice may include but may not be limited to one or more of a CD-ROM,DVD, memory, hard disk, flash drive, RAM, ROM, cache and the like.

A processor may include one or more cores that may enhance speed andperformance of a multiprocessor. In embodiments, the process may be adual core processor, quad core processors, other chip-levelmultiprocessor and the like that combine two or more independent cores(called a die).

The methods and systems described herein may be deployed in part or inwhole through a machine that executes computer software on a server,client, firewall, gateway, hub, router, or other such computer and/ornetworking hardware. The software program may be associated with aserver that may include a file server, print server, domain server,internet server, intranet server and other variants such as secondaryserver, host server, distributed server and the like. The server mayinclude one or more of memories, processors, computer readable media,storage media, ports (physical and virtual), communication devices, andinterfaces capable of accessing other servers, clients, machines, anddevices through a wired or a wireless medium, and the like. The methods,programs or codes as described herein and elsewhere may be executed bythe server. In addition, other devices required for execution of methodsas described in this application may be considered as a part of theinfrastructure associated with the server.

The server may provide an interface to other devices including, withoutlimitation, clients, other servers, printers, database servers, printservers, file servers, communication servers, distributed servers andthe like. Additionally, this coupling and/or connection may facilitateremote execution of program across the network. The networking of someor all of these devices may facilitate parallel processing of a programor method at one or more location without deviating from the scope ofthe invention. In addition, any of the devices attached to the serverthrough an interface may include at least one storage medium capable ofstoring methods, programs, code and/or instructions. A centralrepository may provide program instructions to be executed on differentdevices. In this implementation, the remote repository may act as astorage medium for program code, instructions, and programs.

The software program may be associated with a client that may include afile client, print client, domain client, interne client, intranetclient and other variants such as secondary client, host client,distributed client and the like. The client may include one or more ofmemories, processors, computer readable media, storage media, ports(physical and virtual), communication devices, and interfaces capable ofaccessing other clients, servers, machines, and devices through a wiredor a wireless medium, and the like. The methods, programs or codes asdescribed herein and elsewhere may be executed by the client. Inaddition, other devices required for execution of methods as describedin this application may be considered as a part of the infrastructureassociated with the client.

The client may provide an interface to other devices including, withoutlimitation, servers, other clients, printers, database servers, printservers, file servers, communication servers, distributed servers andthe like. Additionally, this coupling and/or connection may facilitateremote execution of program across the network. The networking of someor all of these devices may facilitate parallel processing of a programor method at one or more location without deviating from the scope ofthe invention. In addition, any of the devices attached to the clientthrough an interface may include at least one storage medium capable ofstoring methods, programs, applications, code and/or instructions. Acentral repository may provide program instructions to be executed ondifferent devices. In this implementation, the remote repository may actas a storage medium for program code, instructions, and programs.

The methods and systems described herein may be deployed in part or inwhole through network infrastructures. The network infrastructure mayinclude elements such as computing devices, servers, routers, hubs,firewalls, clients, personal computers, communication devices, routingdevices and other active and passive devices, modules and/or componentsas known in the art. The computing and/or non-computing device(s)associated with the network infrastructure may include, apart from othercomponents, a storage medium such as flash memory, buffer, stack, RAM,ROM and the like. The processes, methods, program codes, instructionsdescribed herein and elsewhere may be executed by one or more of thenetwork infrastructural elements.

The methods, program codes, and instructions described herein andelsewhere may be implemented on a cellular network having multiplecells. The cellular network may either be frequency division multipleaccess (FDMA) network or code division multiple access (CDMA) network.The cellular network may include mobile devices, cell sites, basestations, repeaters, antennas, towers, and the like. The cell networkmay be a GSM, GPRS, 3G, EVDO, mesh, or other networks types.

The methods, programs codes, and instructions described herein andelsewhere may be implemented on or through mobile devices. The mobiledevices may include navigation devices, cell phones, mobile phones,mobile personal digital assistants, laptops, palmtops, netbooks, pagers,electronic books readers, music players and the like. These devices mayinclude, apart from other components, a storage medium such as a flashmemory, buffer, RAM, ROM and one or more computing devices. Thecomputing devices associated with mobile devices may be enabled toexecute program codes, methods, and instructions stored thereon.Alternatively, the mobile devices may be configured to executeinstructions in collaboration with other devices. The mobile devices maycommunicate with base stations interfaced with servers and configured toexecute program codes. The mobile devices may communicate on a peer topeer network, mesh network, or other communications network. The programcode may be stored on the storage medium associated with the server andexecuted by a computing device embedded within the server. The basestation may include a computing device and a storage medium. The storagedevice may store program codes and instructions executed by thecomputing devices associated with the base station.

The computer software, program codes, and/or instructions may be storedand/or accessed on machine readable media that may include: computercomponents, devices, and recording media that retain digital data usedfor computing for some interval of time; semiconductor storage known asrandom access memory (RAM); mass storage typically for more permanentstorage, such as optical discs, forms of magnetic storage like harddisks, tapes, drums, cards and other types; processor registers, cachememory, volatile memory, non-volatile memory; optical storage such asCD, DVD; removable media such as flash memory (e.g. USB sticks or keys),floppy disks, magnetic tape, paper tape, punch cards, standalone RAMdisks, Zip drives, removable mass storage, off-line, and the like; othercomputer memory such as dynamic memory, static memory, read/writestorage, mutable storage, read only, random access, sequential access,location addressable, file addressable, content addressable, networkattached storage, storage area network, bar codes, magnetic ink, and thelike.

The methods and systems described herein may transform physical and/oror intangible items from one state to another. The methods and systemsdescribed herein may also transform data representing physical and/orintangible items from one state to another.

The elements described and depicted herein, including in flow charts andblock diagrams throughout the figures, imply logical boundaries betweenthe elements. However, according to software or hardware engineeringpractices, the depicted elements and the functions thereof may beimplemented on machines through computer executable media having aprocessor capable of executing program instructions stored thereon as amonolithic software structure, as standalone software modules, or asmodules that employ external routines, code, services, and so forth, orany combination of these, and all such implementations may be within thescope of the present disclosure. Examples of such machines may include,but may not be limited to, personal digital assistants, laptops,personal computers, mobile phones, other handheld computing devices,medical equipment, wired or wireless communication devices, transducers,chips, calculators, satellites, tablet PCs, electronic books, gadgets,electronic devices, devices having artificial intelligence, computingdevices, networking equipments, servers, routers and the like.Furthermore, the elements depicted in the flow chart and block diagramsor any other logical component may be implemented on a machine capableof executing program instructions. Thus, while the foregoing drawingsand descriptions set forth functional aspects of the disclosed systems,no particular arrangement of software for implementing these functionalaspects should be inferred from these descriptions unless explicitlystated or otherwise clear from the context. Similarly, it will beappreciated that the various steps identified and described above may bevaried, and that the order of steps may be adapted to particularapplications of the techniques disclosed herein. All such variations andmodifications are intended to fall within the scope of this disclosure.As such, the depiction and/or description of an order for various stepsshould not be understood to require a particular order of execution forthose steps, unless required by a particular application, or explicitlystated or otherwise clear from the context.

The methods and/or processes described above, and steps thereof, may berealized in hardware, software or any combination of hardware andsoftware suitable for a particular application. The hardware may includea general-purpose computer and/or dedicated computing device or specificcomputing device or particular aspect or component of a specificcomputing device. The processes may be realized in one or moremicroprocessors, microcontrollers, embedded microcontrollers,programmable digital signal processors or other programmable device,along with internal and/or external memory. The processes may also, orinstead, be embodied in an application specific integrated circuit, aprogrammable gate array, programmable array logic, or any other deviceor combination of devices that may be configured to process electronicsignals. It will further be appreciated that one or more of theprocesses may be realized as a computer executable code capable of beingexecuted on a machine-readable medium.

The computer executable code may be created using a structuredprogramming language such as C, an object oriented programming languagesuch as C++, or any other high-level or low-level programming language(including assembly languages, hardware description languages, anddatabase programming languages and technologies) that may be stored,compiled or interpreted to run on one of the above devices, as well asheterogeneous combinations of processors, processor architectures, orcombinations of different hardware and software, or any other machinecapable of executing program instructions.

Thus, in one aspect, each method described above and combinationsthereof may be embodied in computer executable code that, when executingon one or more computing devices, performs the steps thereof. In anotheraspect, the methods may be embodied in systems that perform the stepsthereof, and may be distributed across devices in a number of ways, orall of the functionality may be integrated into a dedicated, standalonedevice or other hardware. In another aspect, the means for performingthe steps associated with the processes described above may include anyof the hardware and/or software described above. All such permutationsand combinations are intended to fall within the scope of the presentdisclosure.

While the invention has been disclosed in connection with the preferredembodiments shown and described in detail, various modifications andimprovements thereon will become readily apparent to those skilled inthe art. Accordingly, the spirit and scope of the present invention isnot to be limited by the foregoing examples, but is to be understood inthe broadest sense allowable by law.

All documents referenced herein are hereby incorporated by reference.

1. A computer-implemented method comprising: receiving, by a computingsystem, a computing workflow to be performed in a cloud-computingenvironment including a plurality of cloud-computing resources;identifying, by the computing system, a computer workload to perform thecomputing workflow, wherein the computer workload includes a softwareunit of computing processing performed via at least one of anInfrastructure-as-a-Service (IaaS), a Platform-as-a-Service (PaaS), or aService-as-a-Service (SaaS); associating, by the computing system, apolicy with the computer workload, wherein the policy is applied to thecomputer workload when the computer workload is deployed within asecurity zone assigned for the computer workload, wherein one or moreboundaries of the security zone are updatable, wherein the policy isupdatable for the computer workload when the computer workload isdeployed within the security zone, and wherein the security zone isdefinable at differing levels of abstraction; deploying, by thecomputing system, the computer workload in a virtual private cloudwithin the clouding-computing environment; applying, by the computingsystem, the policy to the computer workload when the computer workloadperforms the computing workflow within the virtual private cloud; andtagging, by the computing system, the computer workload to performcommunications across a plurality of security zones, each security zonein the plurality of security zones having a defined set of associatedfirewalls, wherein the tagging the computer workload comprises applyingfirewall rules to the defined set of associated firewalls for theplurality of security zones to enable the computer workload to performcommunications across the plurality of security zones.
 2. Thecomputer-implemented method of claim 1, further comprising: testing thecomputer workload in a second virtual private cloud within thecloud-computing environment prior to deploying the computer workload. 3.The computer-implemented method of claim 2, wherein the virtual privatecloud corresponds to a production virtual private cloud, and wherein thesecond virtual private cloud corresponds to a pre-production virtualprivate cloud.
 4. The computer-implemented method of claim 1, whereinthe security zone is definable by a developer, and wherein the policy isapplicable, by the developer, with respect to the security zone.
 5. Thecomputer-implemented method of claim 1, further comprising: tagging thecomputer workload based on the security zone to enable the computerworkload to perform operations in the security zone.
 6. Thecomputer-implemented method of claim 1, wherein the cloud-computingenvironment is associated with a virtualization environment, and whereinthe virtualization environment has a metamodel framework that allows thepolicy to be associated with the computer workload.
 7. Thecomputer-implemented method of claim 1, wherein the computer workload isincluded in an identified plurality of computer workloads configured toperform the computing workflow.
 8. The computer-implemented method ofclaim 1, wherein the security zone is associated with at least one of ageographic zone, a network zone, an enterprise zone, an operationalzone, or an organizational zone.
 9. The computer-implemented method ofclaim 1, wherein the policy includes a security policy, and wherein thesecurity policy is associated with at least one of an access policy, awrite-permission policy, a resource utilization policy, or an editingpermission policy.
 10. The computer-implemented method of claim 9,further comprising: receiving, at a central policy server, a definitionfor the security policy, wherein the central policy server is configuredto associate the security policy to at least one of the computerworkload or a particular cloud-computing resource, out of the pluralityof cloud-computing resources, that performs the computer workload; andpushing the security policy to the particular cloud-computing resource.11. A system comprising: at least one processor; and a memory storinginstructions that, when executed by the at least one processor, causethe system to perform: receiving a computing workflow to be performed ina cloud-computing environment including a plurality of cloud-computingresources; identifying a computer workload to perform the computingworkflow, wherein the computer workload includes a software unit ofcomputing processing performed via at least one of anInfrastructure-as-a-Service (IaaS), a Platform-as-a-Service (PaaS), or aService-as-a-Service (SaaS); associating a policy with the computerworkload, wherein the policy is applied to the computer workload whenthe computer workload is deployed within a security zone assigned forthe computer workload, wherein one or more boundaries of the securityzone are updatable, wherein the policy is updatable for the computerworkload when the computer workload is deployed within the securityzone, and wherein the security zone is definable at differing levels ofabstraction; deploying the computer workload in a virtual private cloudwithin the clouding-computing environment; applying the policy to thecomputer workload when the computer workload performs the computingworkflow within the virtual private cloud; and tagging the computerworkload to perform communications across a plurality of security zones,each security zone in the plurality of security zones having a definedset of associated firewalls, wherein the tagging the computer workloadcomprises applying firewall rules to the defined set of associatedfirewalls for the plurality of security zones to enable the computerworkload to perform communications across the plurality of securityzones.
 12. The system of claim 11, wherein the instructions cause thesystem to further perform: testing the computer workload in a secondvirtual private cloud within the cloud-computing environment prior todeploying the computer workload.
 13. The system of claim 12, wherein thevirtual private cloud corresponds to a production virtual private cloud,and wherein the second virtual private cloud corresponds to apre-production virtual private cloud.
 14. The system of claim 11,wherein the security zone is definable by a developer, and wherein thepolicy is applicable, by the developer, with respect to the securityzone.
 15. The system of claim 11, wherein the instructions cause thesystem to further perform: tagging the computer workload based on thesecurity zone to enable the computer workload to perform operations inthe security zone.
 16. A non-transitory computer-readable storage mediumincluding instructions that, when executed by at least one processor ofa computing system, cause the computing system to perform: receiving acomputing workflow to be performed in a cloud-computing environmentincluding a plurality of cloud-computing resources; identifying acomputer workload to perform the computing workflow, wherein thecomputer workload includes a software unit of computing processingperformed via at least one of an Infrastructure-as-a-Service (IaaS), aPlatform-as-a-Service (PaaS), or a Service-as-a-Service (SaaS);associating a policy with the computer workload, wherein the policy isapplied to the computer workload when the computer workload is deployedwithin a security zone assigned for the computer workload, wherein oneor more boundaries of the security zone are updatable, wherein thepolicy is updatable for the computer workload when the computer workloadis deployed within the security zone, and wherein the security zone isdefinable at differing levels of abstraction; deploying the computerworkload in a virtual private cloud within the clouding-computingenvironment; applying the policy to the computer workload when thecomputer workload performs the computing workflow within the virtualprivate cloud; and tagging the computer workload to performcommunications across a plurality of security zones, each security zonein the plurality of security zones having a defined set of associatedfirewalls, wherein the tagging the computer workload comprises applyingfirewall rules to the defined set of associated firewalls for theplurality of security zones to enable the computer workload to performcommunications across the plurality of security zones.
 17. Thenon-transitory computer-readable storage medium of claim 16, wherein theinstructions cause the computing system to further perform: testing thecomputer workload in a second virtual private cloud within thecloud-computing environment prior to deploying the computer workload.18. The non-transitory computer-readable storage medium of claim 17,wherein the virtual private cloud corresponds to a production virtualprivate cloud, and wherein the second virtual private cloud correspondsto a pre-production virtual private cloud.
 19. The non-transitorycomputer-readable storage medium of claim 16, wherein the security zoneis definable by a developer, and wherein the policy is applicable, bythe developer, with respect to the security zone.
 20. The non-transitorycomputer-readable storage medium of claim 16, wherein the instructionscause the system to further perform: tagging the computer workload basedon the security zone to enable the computer workload to performoperations in the security zone.